Assets of the Garantex cryptocurrency exchange mentioned in the Elliptic study, allegedly linked to financing Palestinian militants, were very likely sent to a client either for providing small services or as part of an exchange transaction. This was stated by the platform’s marketing director Evgenia Burova in an interview with the YouTube channel Satoshkin.
How did it all begin?
The Elliptic expert report published in July relies on analysis of wallets linked to Palestinian Islamic Jihad (PIJ) whose assets were seized under an order of the Israeli Defense Ministry. The list contained 26 Tron addresses and another 67 client accounts on various cryptocurrency exchanges.
«In total, 26 disclosed wallets contain more than $93.7 million in USDT, USDC and TRX. Since the order also mentions exchange addresses, it is unclear which part of these funds belongs directly to PIJ», — noted Elliptic.
At the same time, the experts found that the listed wallets conducted large transactions with addresses linked to «Hezbollah», «Hamas» and other organisations involved in illicit financial services.
Studying the flow of funds, Elliptic found that some of them were processed through the sanctioned Russian exchange Garantex and the decentralized platform Sunswap.
«Similar funding strategies are observed among other Palestinian groups, such as Hamas», — said the Elliptic report.
Based on this research in early October, after Hamas’s attack on Israel, The Wall Street Journal (WSJ) published an article focusing on Garantex’s role in the story.
What sums are involved?
According to Elliptic’s scheme, 3,300 USDT were transferred from a PIJ-linked wallet to an exchange. Subsequently, $224 million in USDT, USDC and TRX were moved from Garantex to an unknown external address, which also received funds from the Palestinian group.
According to Evgenia Burova, the seven-figure sum went to a large exchange in the Persian Gulf and was most likely “spent by Russian relocants, for example on real estate or starting a business”.
«Such sums naturally attract close attention from our security service. Here it is a routine relocation of funds abroad», — explained she.
According to Sergei Mendeleev, CEO of Indefibank, the recipient address is likely not a wallet but a cluster.
«Impossible to attribute movements from Garantex to a single wallet of that size, and across different blockchain currencies», — said he in ForkLog’s comment.
Explaining the link to Palestinian organisations, Burova noted that among Garantex’s clients are UAE exchanges, as they offer «the best opportunities to exchange USDT for dollars».
In the case of 3,300 USDT, according to Elliptic’s scheme received on Garantex directly from a PIJ-linked wallet, it could have been either an exchange operation or payment for «some small services», the exchange’s representative added.
«We monitored chats, and in one of them a client admitted that he indeed took money from some Palestinians for legal services in Russia. Maybe some Garantex clients provided such services», — proposed Burova.
She also did not exclude that «it is more likely this could be planted, tainted crypto or a setup». At the same time, in her words, at the moment of receipt by the exchange the transaction was «clean and untagged»:
«Between different AML services there are differences in tagging. Elliptic could have tagged this transaction for some of its own reasons. But we check every transaction very carefully at the moment of receipt, and if it raises any suspicions, we send it back».
In addition, Burova added that Garantex does not accept politically exposed persons as clients. She said that even though Hamas is not recognised as a terrorist organisation in Russia, it is political activity.
«These are transactions that may attract unwanted attention. And we classify them as sufficiently high risk to not accept them», — said she.
Experts at HAPI, after studying Elliptic’s scheme and the list of sanctioned addresses, concluded that the unknown wallet is a Garantex-linked cluster through which about $600,000 of the total sum was laundered.
«These addresses are not the only ones. However, since we cannot identify all addresses that Elliptic clusters, we cannot confirm movements of $224 million», they told ForkLog in a comment.
From the same total, $300,000 was processed by Binance, $100,000 by ChangeNow.
«On Binance, money was mostly cycled in small sums of $50-300 in equivalent, to bypass the exchange’s AML systems. On the address linked to Garantex, sums of $3,000 and up were directed», — noted HAPI.
Experts also stressed that in Elliptic’s scheme the Binance wallets involved in the transfers are completely absent.
Garantex’s internal rules
According to Burova, Garantex has its own cryptocurrency and fiat compliance departments, and there is also internal KYT tagging.
The exchange cooperates with foreign authorities along Interpol and, upon legitimate requests to seize cryptocurrency, provides assistance.
«We do not allow cryptocurrency from tagged wallets into the pool of funds that are circulating on the exchange. Initially we cannot refuse a transaction to the primary wallet, but later in the exchange rotation this dirty crypto does not enter. It either waits for requests from law enforcement, or is sent back», — added Burova.
KYC-procedure at Garantex includes providing passport data and residence. For foreign clients, a personal visit to the company office is required to verify identity. In some cases the company may request proof of origin of funds, as indicated in the user agreement.
Finally, Burova noted that since the exchange is based in Russia, it must comply with applicable jurisdiction laws and international agreements. Garantex does not operate outside Russia.
According to her, the WSJ article will not have a material impact on their operations, as Russians, especially those abroad, need cryptocurrency.
Other figures
Based on data from Israeli authorities, ChainArgos published a scheme of stablecoin inflows into the Tron network, to wallets controlled by various groups.
USD stablecoin flows into Tron accounts that the Israeli National Bureau for Counter Terror Financing (#NBCTF) has publicly claimed are controlled by #Hamas, #Hezbollah, #ISIS, or other #terrorists are significantly higher than we expected, totaling in the billion dollar range.… pic.twitter.com/PmN9CBc4w4
— ChainArgos (@ChainArgos) October 15, 2023
In total from 2021 to 2023, 67,321 transactions were made from these addresses for more than $1.4 billion.
Part of the funds were linked to the Russian cryptocurrency pyramid Amir Capital.
Also, according to researchers, a “huge number of transactions” of $3,000-$3,900 were sent directly from Binance to the aforementioned addresses.
Also fascinating:
1. Transfers to the wallets Israeli intelligence has flagged are deeply interwoven with Amir Capital, a massive and well documented Russian ponzi.
2. Transfers to these wallets from Binance are done in huge numbers but in very small amounts. Is this smurfing? pic.twitter.com/telXoxARxY
— ChainArgos (@ChainArgos) October 16, 2023
The chart shows that some transfers from the exchange began and ended almost simultaneously.
Wallet activity started to decline after orders to freeze accounts. However, ChainArgos experts doubted that the groups immediately stopped using them. Therefore, the figures, excluding the last 3-4 months, may be significantly understated, they say.
As noted, the Estonia-based digital asset exchange Garantex in April 2022 came under sanctions OFAC. According to the regulator, the platform conducted operations totaling more than $100 million linked to illicit subjects. Among the latest were the hacker group Conti and the darknet marketplace Hydra.
The Estonian operator of the exchange Garantex Europe OÜ lost its license in March 2022. Nevertheless, the company continued to operate. According to Delfi, prosecutors opened a criminal investigation into illegal economic activity.