GL team has discovered a scheme allowing the sanctioned exchange to decrease risk score almost 2x. It helps Garantex not only function but flourish.
- Despite sanctions, Garantex has managed to maintain its presence in the cryptocurrency arena.
- The Global Ledger team discovered a scheme that allows the exchange to bypass sanctions.
- Garantex transfers crypto to “proxy” clusters to blend it with clean funds, leading to a significantly reduced risk score compared to initially assigned.
- Such a decline in a risk score is a huge problem because VASPs won’t consider the funds to have a high risk score. It means the sanctioned exchange can continue operating at a large scale.
Sanctions and regulatory challenges are the hot crypto topics lately. Just a few to mention are Hamas-related Binance accounts frozen by the police, Bitzlato.io, Blender.io, Tornado Cash, Hydra, and Garantex, which have faced sanctions. The regulatory process seems to be on track. Still, some find ways to circumvent restrictions.
Garantex crypto exchange is precisely the kind of example. The crypto community’s attention was last drawn to it during the investigation of the Atomic Wallet hack, where over $100 million in crypto was laundered with Garantex’s involvement.
After this incident, the GL team decided to check Garantex’s activities post-sanctions, i.e., after April 5, 2022. Surprisingly, it was discovered that despite the sanctions, from this date up to September 10, 2023, the exchange executed transactions totaling approximately 35,950 BTC. Considering the average Bitcoin price for the period under review was roughly $23,791 (calculated using monthly historical data from CoinMarketCap), it’s about $855,286,450. Please keep in mind: This data focuses on bitcoin, not taking other cryptocurrencies into consideration.
One might assume that Garantex had completely shifted its focus to the Russian market after losing its Estonian license. However, data gleaned from the GL Sankey graph presents a different narrative. Our September 10, 2023 report shows that Garantex – OFAC-listed (Office of Foreign Assets Control) – is still active. Moreover, well-known exchanges are among entities sending transactions to the sanctioned service provider and receiving funds from it:
- WhiteBIT, etc.
Screenshot from GL Sankey graph that illustrates exposure to and from Garantex after sanctions were imposed (05.04.2022 – 10.09.2023)
These data helped conclude that Garantex uses other ways to maintain functioning rather than just directing all its efforts to the Russian market. The Global Ledger team conducted an investigation to discover these pathways. The Global Ledger team used a deposit wallet provided by a representative of Garantex to make a deposit transaction. It allowed them to find out that Garantex creates so-called proxy clusters to “blur” the risk that exchanges receive when screening funds coming from Garantex.
Let’s dive deeper into the case to understand the scheme completely.
This six-step scheme allows Garantex to bypass sanctions
The exchange moves crypto to “proxy” clusters to mix them with clean funds. As a result
- The risk score is much lower than before the scheme was used.
- The funds are mixed with clean crypto, making it challenging to trace the origins of the illicit assets.
Example 1: Laundered money lands on OKEx, the risk score drops by 48 points
Let’s take a look at an example of the scheme that Garantex uses.
- We start analyzing the scheme with wallet bc1qfj3rvusf5v4505qzqv8unjudys8jccgkrvftuc, highlighted in a black frame. This is the wallet of a user who makes a deposit to the Garantex deposit wallet.
- After that, the funds go to the main Garantex cluster marked in red, where they are mixed with the rest of the Garantex funds. Note: It was a newly created wallet cluster, as other addresses had already been labeled as belonging to a sanctioned VASP.
- At some point, Garantex, like any other exchange, transfers its funds to other wallets. The difference is that a regular exchange makes a transfer to a hot or cold wallet for storage, while Garantex moves funds for laundering with potential subsequent cashing out.
As you can see in the screenshot below, funds from all Garantex wallets go to a single wallet bc1qhxam9dkzyx9wa4g3eq0hngavwu66q6xayy73vy for further movement.
Screenshot from GL Vision that illustrates the whole scheme of how Garantex “blurs” the AML risk score with the last activity of the “proxy” cluster (22.04.2023)
- For the next movement of funds, Garantex uses 15 different wallets for 15 hops before depositing funds into the “proxy cluster.” 32mZpMCFQd9BgmX5k86iNew2veCVHJzaq6 wallet is the 15th hop before the “proxy” cluster with a risk score of 100.
- In the “proxy” cluster, these funds are mixed with clean funds not associated with the main Garantex cluster. The wallet bc1qftkhyr9lkpr8qgqg960m695wcl4c79a6a7std3, after the “proxy” cluster, already has a risk score 95.
- After four hops, 33.499 BTC land on the OKEx exchange. Before entering OKEx, wallet 39RTXYGRb6VvCj1z3B5qKrrgbUAnzspKzQ has the risk score of only 52, while, in fact, all these funds are still from Garantex.
Eventually, funds go to OKEx from a wallet with a risk score of only 52, while in fact all these funds are still Garantex
Such a decline is the main problem. The exchange will consider these funds low-risk or coming from an unknown source of funds, but not high-risk. It allows Garantex to “hide” the risk of the transaction and continue to function and launder funds.
A similar “blurring” pattern can be found in many cases. Here are some more examples.
Example 2: OKEx gets more illicit crypto, risk score falls by 46 points
In this example, Garantex managed to transfer 53.999 BTC to OKEx. Here, the funds go from the main Garantex cluster right to the “proxy” one, then after a few hops via different wallets, they move to another “proxy” cluster.
Screenshot from GL Vision that illustrates the whole scheme of how Garantex “blurs” the AML risk score with the last activity of the “proxy” cluster (13.03.2023)
Example 3: Illicit funds sent to Bybit, risk score decreases by 32 points
This example shows how Garantex transferred a total of 65.994 BTC to Bybit. We see six “proxy” clusters. After passing through them, the risk score of two flows of funds lowers to 63 and 65.
Screenshot from GL Vision that illustrates the whole scheme of how Garantex “blurs” the AML risk score with the last activity of the “proxy” cluster (06.07.2023)
“Proxy” clusters stick to the same pattern: 1 address = 1 input + 1 output transaction → shutdown
If we pay attention to the transaction distribution pattern within the “proxy” clusters, we will see the same process inside each cluster. Every address makes one deposit transaction and one withdrawal transaction almost at the same time.
After the cluster has completed the required number of transactions, it is no longer used. Moreover, addresses from the cluster stop operating simultaneously.
Data confirming this pattern can be seen on the screenshots next to the clusters.
To sum it up
Risk assessment in crypto is a must-have, according to FATF requirements. How come VASPs had no idea about dealing with illicit funds?
Assessment results depend on the approach, methodology, and overall compliance strategy. As we have seen in the examples above, GL researchers had to investigate multistep interactions to find the real source of funds. In these cases, they had to trace it back via 20+ hops. The issue is that
- When checking the source of funds, many exchanges analyze data only up to a few hops back.
- Making a lot of hops to investigate each single case is not common for VASPs, especially for large ones. For instance, Binance’s 24-hour volume is over $5.4 billion, as of October 10, 2023. With such a trading volume and 150 million registered users, checking transactions 20 hops back would be challenging.
Garantex leverages the situation. Thanks to the described scheme, it can continue operating up to the present day – even after the sanctions were imposed. This approach helps not only to launder funds on a large scale but also to remain undetected by exchanges that do not know they are accepting funds from a sanctioned source.