How We Investigated a Global Crypto Laundromat

When I sent a single-page “company card” over Telegram, I didn’t expect much. There were no passports attached, no proof of ownership, no formal registration documents. Yet less than half an hour later, I found myself inside a private chat with a lawyer, a finance manager, and a person introduced as a compliance officer.

This was not a random messaging group. It was the onboarding channel of Exved — a platform that emerged after Garantex, a Russian cryptocurrency exchange sanctioned by the US Treasury, was formally shut down.

According to the US Justice Department, from 2019 to 2025 Garantex had “received hundreds of millions in criminal proceeds and was used to facilitate various crimes, including hacking, ransomware, terrorism, and drug trafficking, often with substantial impact to US victims.” In addition to seizing the Garantex site, the DOJ also indicted two men — who it said ran the exchange — on money laundering and conspiracy to evade sanctions charges.

That introductory moment raised a simple yet essential question: how does a sanctioned exchange resurrect itself under a new name and continue to operate, attract new clients, and move money across borders?

To answer that, our team decided not to rely solely on blockchain analysis or leaked documents. We needed to go inside the system.

This article explains how we did it, step by step, and what other investigative journalists can learn from the process.

The Investigative Question

Our goal was not to uncover a single illegal transaction. We wanted to understand several broader questions:

• How successor platforms to sanctioned crypto exchanges actually work
• Whether compliance procedures exist in practice
• And how money moves once a platform claims to be “legal.”

In short, we wanted to test the system from the inside, not just describe it from the outside.

Choosing an Undercover Approach

At an early stage, it became clear that public records and blockchain data alone would not explain how the system actually worked. While on-chain analysis can show where funds move, it does not reveal how clients are onboarded, what questions are asked, or how risks are handled in practice.

In this case, much of the infrastructure operated informally: negotiations took place over messaging apps, contracts were shared directly in chats, and procedures were explained verbally rather than documented publicly. Waiting for leaks or court records would have meant observing the system only after it failed, not while it was functioning.

Going undercover allowed us to test the platform’s own claims. Instead of asking whether compliance rules existed on paper, we could observe whether they were applied in reality. This approach helped us distinguish between formal statements and day-to-day operational behavior.

Step 1: Building a Credible Backstory

Before making contact in October 2024, we created a simple, realistic cover identity.

We posed as a Hong Kong-based electronics exporter, a profile commonly used in Russian “gray trade.” This backstory included:

• Company name
• Basic business card
• Plausible business activity

Importantly, we avoided overcomplicating the story. The goal was not to pass a deep background check, but to survive a routine, superficial one, which, as we learned, was all that we were subjected to.

Lesson: A good undercover identity should be boring, plausible, and easy to remember.

Step 2: Entering the System via Telegram

We contacted Exved through its public Telegram account. Telegram is widely used in Russia for business communication, including financial services.

Within 25 minutes of sending the company card, we were approved and added to a private group chat. At no point were we asked to provide these forms of documentation, which might be required as part of due diligence:

• Passport scans
• Proof of beneficial ownership
• Corporate registry extracts
• Video verification

For readers unfamiliar with compliance terminology: “KYC” (Know Your Customer) is the process banks and financial platforms use to verify their clients’ identities. In regulated environments, this usually involves identity documents, ownership disclosure, and background checks.

In our case, this process was effectively absent.

Step 3: Documenting the Workflow

Once inside the chat, we carefully documented everything. This involved exporting chat histories, recording calls (where legally permitted), and saving all shared documents.

During our phone calls, company representatives described what they called an “agency model” for payments. On the surface, it sounded like a routine service. In practice, it functioned as a workaround to move money out of Russia without triggering a traditional cross-border transfer.

To understand why this matters, it helps to break the system down clearly.

Under normal circumstances, if a Russian importer pays a foreign supplier, the funds leave Russia via a bank transfer. That transfer is visible to banks and potentially to regulators enforcing sanctions.

In the model described to us, the transfer is divided into separate steps handled by different entities:

• Step 1: A Russian company (the importer) transfers rubles to a Russian “agent” company under a domestic contract. From the bank’s perspective, this appears to be a local business payment inside Russia.
• Step 2: That Russian agent does not send the money abroad. Instead, a related partner operating outside Russia makes a separate payment to the foreign supplier.
• Step 3: The offshore partner may use traditional currency or cryptocurrency (often USDT) to complete this payment.
• Step 4: The foreign supplier receives funds from a non-Russian entity, meaning there is no visible direct transfer from Russia to the supplier.

The investigation traced how the platform evaded sanctions by using a multi-step payments process and cryptocurrency to hide the importation of goods into Russia. Image: Courtesy of TI-Russia

The key feature of this system is the separation between the Russian ruble payment and the foreign payout. The two transactions are economically connected, but legally and technically appear unrelated.

This is what allows the funds to move internationally without showing up as a sanctioned cross-border transfer.

We asked direct questions about risk, blocked payments, and sensitive goods. The responses indicated that payment narratives can be adjusted, documentation can be tailored, and high-risk goods are routinely handled.

We raised the issue of dual-use goods, which are products like microprocessors that have both civilian and potential military applications. In response, they referred to items classified under Harmonized System (HS) codes, noting that these codes could be reassigned “if possible.” HS codes are internationally standardized numbers used to classify traded goods for customs and regulatory purposes. Changing or selecting different codes can affect how a shipment is categorized and whether it receives additional scrutiny, particularly for items such as telecommunications equipment and microprocessors. These components often fall under export controls because they can be utilized in both advanced weapon systems and consumer electronics.

These conversations were crucial because they showed how the system can work to evade scrutiny in practice, not just in theory.

Discussions on how to conceal the Russian destination of the proposed imports. Image: Courtesy of TI-Russia

Step 4: Following the Money (Without Crypto Jargon)

At one point, we were given a cryptocurrency address for a test payment. We sent a small amount, enough to observe behavior, not to fund activity.

Using publicly available blockchain explorers, we tracked what happened next. The funds moved through a series of wallets that were previously linked to Garantex-related illicit activity.

For journalists unfamiliar with how blockchain works: transactions on public blockchains are visible to anyone. While users may be anonymous, patterns of movement often reveal operational connections.

This step confirmed that the successor platform was not financially isolated from the sanctioned exchange Garantex, and was effectively acting as its replacement.

Step 5: Verifying Claims with OSINT and Leaks

Undercover work alone is never enough. Everything we were told had to be verified. We used open source tools to check company registrations, confirm office addresses, cross-reference names and entities, and validate leaked documents. We also examined metadata on files we received to confirm when and how they were created.

Where possible, we matched chat timestamps, document dates, and blockchain transactions. This triangulation allowed us to distinguish between genuine operational processes and exaggeration.

Digital Security: How We Protected Ourselves

Working under a cover identity requires more than technical tools — it requires consistency. One of the main risks in undercover investigations is accidental exposure through small mistakes: logging into the wrong account, sending a file with hidden metadata, or reusing a familiar device.

To reduce these risks, we treated the undercover role as a completely separate workspace. All communications took place on dedicated devices, using accounts created solely for the cover identity. Files received from interlocutors were never opened on personal machines, and all materials were stored offline in encrypted archives.

We were also careful about behavior, not just technology. We avoided responding too quickly, asked questions that matched our supposed level of knowledge, and never volunteered unnecessary details. Digital security, we found, is as much about pacing and restraint as it is about software.

We adhered to basic but strict digital hygiene:

• Using separate devices for undercover work
• Creating compartmentalized email and messaging accounts
• Encrypting all stored materials
• Removing all metadata from shared files
• Never using personal financial accounts

Lesson: Operational security is not about sophisticated tools – it’s about discipline.

Common Mistakes Journalists Should Avoid

Based on this investigation, several pitfalls stand out:

1. Overexplaining your cover story — simplicity is safer.
2. Mixing real and undercover identities — even once can compromise you.
3. Sending meaningful sums of money — test transactions should be symbolic.
4. Ignoring metadata — documents can expose you unintentionally.
5. Not planning an exit — always know how you will disengage.

Most Surprising Findings

The most striking aspect of the investigation was not the complexity of the financial structures, but how ordinary the process felt. Conversations were calm, procedural, and framed as routine business. There was no sense that the platform was operating under exceptional pressure or skirting rules, despite its origins in a sanctioned exchange.

Questions about sensitive goods, compliance risks, or payment disruptions were met with matter-of-fact answers. Instead of resistance or hesitation, we encountered confidence and often reassurance that similarly problematic transactions were handled every day.

This normalization was revealing. It suggested that sanctions had not eliminated the ecosystem, but reshaped it into something quieter and more distributed. For us as investigators, this was an important reminder: systems that pose serious risks to financial integrity often do not look dramatic from the inside. They look efficient, familiar, and routine.

In August of last year, just weeks before we published our investigation, the US government designated a Garantex offshoot exchange, Grinex, for sanctions and also named Exved in the announcement as acting to “subvert US sanctions on Russia’s financial sector.” Exved never responded to questions from us about our reporting.

Key Takeaways

• Sanctioned systems rarely disappear – they adapt.
• Messaging apps are now part of the core financial infrastructure.
• Undercover methods can reveal gaps invisible in documents.
• Small test actions can unlock significant structural insights.
• Methodology matters as much as findings.

This investigation showed that financial controls are only as strong as their enforcement and that journalists can play a critical role in exposing how these systems actually work, contrary to regulatory frameworks.

Why This Matters Beyond Russia

The same channels used to move illicit Russian funds can also facilitate payments for prohibited dual-use goods, sensitive technology, and high-risk trade to other sanctioned countries.

Understanding how these systems operate is essential not just for exposing wrongdoing but for strengthening future investigations.

Our methods are reproducible, and we hope this guide helps other journalists apply them safely.

Kristine Baghdasaryan is an OSINT researcher at Transparency International – Russia (in exile). She has developed and managed educational initiatives for NGOs, conferences, and online schools.