Russian Federation
The largest nation-state cryptocurrency threat by volume, with over $12 billion processed through sanctioned exchanges Garantex and Cryptex, supporting ransomware operations and sanctions evasion.
75
Active Wallets
$12.50B
Total Volume
5
Threat Actors
15
Active Alerts
Executive Summary
Russia represents the highest volume nation-state cryptocurrency threat, with over $12 billion processed through sanctioned infrastructure. The ecosystem primarily revolves around two major sanctioned exchanges: Garantex (designated April 2022) and Cryptex (designated September 2024).
Key threat vectors include:
- Sanctioned cryptocurrency exchanges (Garantex, Cryptex, Grinex)
- Ransomware payment processing infrastructure
- GRU and FSB cyber operations funding
- Post-invasion sanctions evasion networks
Following the 2022 invasion of Ukraine, Russia significantly expanded its cryptocurrency infrastructure to circumvent unprecedented Western sanctions. The U.S. Treasury has designated multiple Russian exchanges and hundreds of associated wallet addresses.
Threat Actors
GRU Unit 74455 (Sandworm)
HIGH CONFIDENCEAlso known as: Sandworm, Voodoo Bear, TEMP.Noble, Seashell Blizzard
$500.00M
Estimated Volume
Russian military intelligence unit involved in cyber operations and cryptocurrency usage for operational funding and ransomware.
First Observed
2008
Active Wallets
18
Last Activity
2025-02-15
Primary Targets
4 categories
Tactics
Primary Targets
FSB Center 16/18
HIGH CONFIDENCEAlso known as: Turla, Venomous Bear, Snake, Secret Blizzard
$150.00M
Estimated Volume
Russian intelligence units involved in cryptocurrency operations for espionage funding.
First Observed
2004
Active Wallets
12
Last Activity
2025-01-30
Primary Targets
3 categories
Tactics
Primary Targets
Conti / Wizard Spider
HIGH CONFIDENCEAlso known as: Wizard Spider, Gold Ulrick, Grim Spider
$180.00M
Estimated Volume
Russian ransomware group with suspected FSB ties. Responsible for over $180M in ransom payments.
First Observed
2020
Active Wallets
45
Last Activity
2024-06-15
Primary Targets
3 categories
Tactics
Primary Targets
Garantex Exchange
OFAC DESIGNATEDDesignated April 5, 2022
Moscow-based cryptocurrency exchange that facilitated over $6 billion in transactions, including processing funds for ransomware groups like Conti and Hydra Market darknet transactions. Despite sanctions, continues operating as "Grinex" with new addresses.
$6B+
Total Volume
245K+
Transactions
Active
Status (as Grinex)
Cryptex Exchange
OFAC DESIGNATEDDesignated October 1, 2024
Russian cryptocurrency exchange designated for facilitating ransomware payments and sanctions evasion. Processed nearly $6 billion before designation, with significant connections to ransomware-as-a-service operations.
$5.88B
Total Volume
198K+
Transactions
Disrupted
Status
OFAC Designated Wallets
6 addresses tracked| Address | Chain | Entity | Received | Txns | Risk |
|---|---|---|---|---|---|
0x7F367c...DEbe1B | ethereum | Garantex Exchange Designated: 2022-04-05 | $6.00B | 245,000 | 100 |
0x2f389c...4f6535 | ethereum | Cryptex Exchange Designated: 2024-10-01 | $5.88B | 198,000 | 100 |
0x19Aa5F...0b4dFF | ethereum | PM2BTC Exchange Designated: 2024-10-01 | $750.00M | 45,000 | 100 |
bc1qz2u7...n8z9eu | bitcoin | Conti Ransomware Designated: 2022-08-15 | $85.00M | 1,250 | 100 |
bc1qn9ah...zcz5z7 | bitcoin | Wizard Spider Operations Designated: 2022-06-01 | $45.00M | 890 | 100 |
0x8576aC...91353C | ethereum | Sandworm Unit 74455 Designated: 2023-03-15 | $25.00M | 345 | 100 |
These addresses are officially designated by the U.S. Treasury's Office of Foreign Assets Control (OFAC). Transactions with these addresses may violate U.S. sanctions laws.
Ransomware Ecosystem
Russia-linked ransomware groups have extracted over $1.5 billion from victims worldwide, with payments frequently processed through Garantex and Cryptex infrastructure. Key ransomware operations include:
Conti
$180M+
Extorted since 2020
REvil
$200M+
Before disruption
LockBit
$500M+
Ongoing operations
BlackCat
$300M+
Active threat
Darknet Market Connections
Russian cryptocurrency infrastructure also supports darknet marketplace operations. The now-defunct Hydra Market processed over $5 billion before its seizure in 2022, with significant transaction flow through Garantex.
Hydra Market
Seized April 2022
$5.2B
Solaris
Disrupted 2023
$150M
Kraken
Active monitoring
$80M+
Integrate Russia Threat Data
Access Russia-linked threat intelligence via our free API
curl -X GET "https://api.nsctip.com/v1/nations/russia" \
-H "X-API-Key: YOUR_API_KEY"