Elliptic warns of Russia-linked crypto payment routes

Elliptic said that a set of exchanges and brokers are providing conversion rails that let rubles be swapped into cryptoassets, moved across borders without bank intermediaries, and then exchanged back into local currency through overseas brokers or exchanges.

In its analysis, Elliptic singled out five services – Bitpapa, ABCeX, Exmo (Exmo.com and Exmo.me), Rapira and Aifory Pro – arguing they continue to enable sanctions circumvention despite growing regulatory pressure and, in some cases, claimed geographic separation from Russia that on-chain activity does not support.

One of the most striking examples in the report was ABCeX, which Elliptic described as running both order-book and peer-to-peer ruble-to-crypto trading while operating an office in Moscow’s Federation Tower, a location the firm said had previously been occupied by Garantex. Elliptic said ABCeX uses wallet obfuscation methods intended to prevent transactions being linked back to the service, and estimated it has processed at least $11 billion in cryptoassets, with notable flows sent to sanctioned Garantex and to Aifory Pro.

Bitpapa, a peer-to-peer exchange Elliptic said is registered in the UAE but primarily targets Russian users, was the only one of the five platforms that Elliptic noted as already sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). Elliptic said Bitpapa’s sanctions-evasion exposure was visible in where funds go next: about 9.7% of its outgoing crypto funds were destined for OFAC-sanctioned targets, including roughly 5% directed specifically to Garantex. Elliptic added that blockchain patterns suggest Bitpapa rotates wallet addresses frequently in a way designed to make it harder for transaction-monitoring systems to identify it as a counterparty and to obscure the Russian origin of funds.

Exmo was flagged as a case where corporate messaging about post-2022 separation from Russia was “contradicted by on-chain data,” according to Elliptic’s write-up. Elliptic said Exmo.com and Exmo.me – after the company said it sold its regional business – continued to share custodial wallet infrastructure, with deposits from either platform pooled into the same hot wallet addresses and withdrawals issued from the same addresses. Elliptic said that operational overlap meant the Russian-facing platform’s flows could be co-mingled with the Western-facing entity’s activity, and reported more than $19.5 million in direct transactions with sanctioned entities including Garantex, Grinex and Chatex.

Rapira, which Elliptic described as a Georgia-incorporated exchange with a Moscow office facilitating ruble-based trading, was tied to direct transactions with Grinex totaling more than $72 million, according to the report. Elliptic also pointed to media reporting that Rapira’s Moscow offices were raided as part of an investigation into suspected capital flight to Dubai.

Aifory Pro was presented as a Russia-linked cash-to-crypto service operating in Moscow, Dubai and Türkiye, and as a “Foreign Economic Activity Payment Agent” supporting international trade payments, including examples involving Russia and China. Elliptic said Aifory Pro markets services meant to bypass restrictions by offering virtual payment cards and Apple Pay-enabled cards that draw on a customer’s USDT balance for foreign services, naming examples such as Airbnb and ChatGPT as services otherwise blocked in Russia. Elliptic also cited what it characterized as high-risk links, including nearly $2 million in cryptoassets sent to Abantether, which it described as an Iranian exchange.

Elliptic’s focus on a “post-Garantex” ecosystem comes after years of enforcement actions around the exchange. OFAC designated Garantex in April 2022 under Russia-related authorities, and later cited its role in facilitating malicious cyber-enabled activity. U.S. authorities also described an international operation in March 2025 that disrupted Garantex, outlining allegations that operators continued to transact despite the sanctions.

Garantex’s footprint has also been pressured through stablecoin controls and wider sanctions packages. In March 2025, Garantex said it suspended services after wallets linked to the platform holding more than 2.5 billion rubles worth of USDT were blocked, according to a report on the suspension.

Report ties part of the current risk to the way Russia-linked services can be structured across jurisdictions while still catering to ruble liquidity and Russia-based operations. The firm’s central claim is that the services it identified provide practical transaction routes for sanctioned or Russia-connected entities to move value cross-border using crypto conversion points, with on-chain flows and wallet infrastructure offering signals that are not always visible through corporate registration alone.