The $93 Billion Ghost: How Russia Built a Crypto Empire to Kill Western Sanctions

Moscow's Federation Tower complex - where A7 LLC maintains offices on the upper floors. (Pexels)

In September 2025, Vladimir Putin did something unusual. He attended a virtual ribbon-cutting ceremony for a financial services company's branch opening in Vladivostok. Putin doesn't do branch openings. He does missile launches, medal ceremonies, and televised dressings-down of subordinates. But A7 LLC is not an ordinary company. It is the operational core of the most ambitious sanctions evasion machine ever constructed - a parallel financial system designed to make Western economic warfare irrelevant.

The numbers tell the story before the names do. According to TRM Labs' 2026 Crypto Crime Report, cryptocurrency flowing to sanctioned entities and jurisdictions hit $93 billion in 2025. Of that sum, $72 billion was tied to a single token: A7A5, a ruble-pegged stablecoin that didn't exist before January 2025. Chainalysis placed total A7A5 turnover between $72 billion and $93 billion for the year - equivalent to roughly one-third of Russia's entire imports bill.

Sanctions evasion using cryptocurrency surged 700% year-over-year in 2025, according to Chainalysis data published in March 2026. Sanctions-related activity accounted for 86% of all illicit crypto flows. The A7A5 token alone represented more than half of all illicit stablecoin activity globally.

This is the investigation of how it happened.

The scale of sanctions evasion via cryptocurrency in 2025. (BLACKWIRE / CIPHER)

I. The Architect: Ilan Shor and the Theft of the Century

Shor's trajectory from Moldova's biggest fraud to Moscow's sanctions architect traces a decade of impunity. (Pexels)

To understand A7A5, you have to understand the man who built it. Ilan Shor is a Moldovan-Israeli businessman who orchestrated what became known as Moldova's "Theft of the Century." Between 2012 and 2014, more than $1 billion vanished from three Moldovan banks through a labyrinth of opaque transactions to offshore companies. That figure represented roughly one-eighth of Moldova's entire GDP. A country already among Europe's poorest was robbed blind.

Moldovan courts convicted Shor in 2017 as the mastermind behind the fraud. He received a 15-year prison sentence. He never served a day. First he fled to Israel, leveraging his dual citizenship. Then he moved to Moscow, where the Kremlin welcomed him not as a fugitive but as an asset.

The U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned Shor in October 2022, citing his involvement in Russian-backed efforts to destabilize Moldova. The EU followed with its own designations. His nonprofit organization, Evrazia, registered in Moscow, was implicated in funding pro-Russian political operations and election interference campaigns in Moldova. The EU sanctioned Evrazia in October 2024.

But sanctions that target individuals who already operate outside the Western financial system have limited bite. Shor had no dollar-denominated accounts to freeze, no SWIFT connections to sever. He was already living in the one country with the most to gain from building a Western-proof financial architecture.

"It's a big deal because of who Ilan Shor is, and the fact this is designed to try to operate outside of the reach and influence of the US-dollar denominated, traditional financial systems." - Carole House, former White House NSC adviser for cybersecurity policy, speaking to RFE/RL

In late 2024, Shor co-founded A7 LLC. His partner in the venture was no minor figure. Dmitry Fomichev - the son of Mikhail Fomichev, former Russian prime minister's deputy and ex-intelligence official - served as co-executive. The state-owned bank Promsvyazbank (PSB), Russia's eighth-largest and the designated financial institution for Russia's defense-industrial complex, took a 49% ownership stake in A7. The Kremlin wasn't hiding its involvement. It was advertising it.

II. The Machine: How A7A5 Works

The A7 sanctions evasion network - from the Kremlin through shell companies to terror financing endpoints. (BLACKWIRE / CIPHER)

The A7A5 token launched in January 2025. On paper, it is a simple financial instrument: a stablecoin pegged 1:1 to the Russian ruble, issued by a Kyrgyz company called Old Vector, regulated under Kyrgyz financial rules. In practice, it is a purpose-built sanctions evasion engine with three critical features that make it devastatingly effective.

First: unlimited liquidity. Promsvyazbank's deposits back the token. PSB isn't some struggling regional bank - it processes financial transactions for Russia's entire defense sector. When Russian firms need to convert rubles into A7A5, the liquidity is there. There is no practical cap on throughput.

Second: ruble conversion bypass. Every major cryptocurrency exchange banned ruble-denominated transactions after the 2022 invasion of Ukraine. Russian firms holding rubles had no direct path into the global crypto ecosystem. A7A5 solved this overnight. Convert rubles to A7A5, then use A7's instant swap service to convert A7A5 into mainstream dollar-pegged stablecoins like Tether (USDT). The ruble restriction becomes meaningless.

Third: deliberate anonymity. The A7A5-to-stablecoin swap service has no know-your-customer (KYC) processes. None. As Foreign Policy reported on March 31, 2026, blockchain technology records transfers between wallet addresses on a public ledger, but "public" does not mean "identified." Every transaction is visible, but no wallet carries an owner's name. The absence of KYC means connecting a wallet to a sanctioned Russian entity requires intercepted communications, leaked documents, or independent intelligence - exactly the things A7A5's architecture is designed to deny.

The results speak in volume. By February 2025, A7A5 had begun trading publicly on Garantex, a Moscow cryptocurrency exchange that Western law enforcement had flagged for years as a conduit for money laundering, ransomware payments, and terrorist financing. The token moved $9.3 billion in its first four months. By July, cumulative transfers hit $41.2 billion. By August, $51.2 billion. By November 2025, Chainalysis tracked $79 billion. By year-end, the total stood between $72 billion and $93 billion depending on which blockchain analytics firm you ask.

The exponential growth of A7A5 transaction volume through 2025. (BLACKWIRE / CIPHER)

"That is a phenomenal amount of money. That is enormous, for an organization that didn't exist a year ago. The scale of it is really significant." - Elise Thomas, researcher, Center for Information Resilience, speaking to RFE/RL

III. The Shell Game: Kyrgyzstan, Garantex, and Grinex

The thread runs from Moscow's glass towers to a dirt road in Bishkek - by design, not by accident. (Pexels)

The operational geography of A7A5 is a case study in jurisdictional arbitrage. Since 2021, Kyrgyzstan has aggressively positioned itself as a Central Asian cryptocurrency hub, registering at least 13 crypto exchanges and laying groundwork for a national digital currency called USDKG. The regulatory environment is permissive by design - Bishkek wants to attract crypto capital.

A7A5's issuer, Old Vector, was registered in Kyrgyzstan in December 2024. Corporate registry documents obtained by RFE/RL show Old Vector's initial registered headquarters was a small, ramshackle house on a dirt road in Bishkek, surrounded by newer buildings. When RFE/RL reporters visited in July 2025, two boys answered the door and said they were unaware of any company registered at their address. A neighbor confirmed the same.

A company processing tens of billions of dollars in transactions was headquartered at a house where children answered the door. This is not negligence. This is architecture.

Old Vector later moved its registered address to a multistory apartment building called South Park on Bishkek's outskirts. A7-Kyrgyzstan, the company supplying the token to Old Vector, was registered on January 17, 2025, and housed in a former shopping center where security guards blocked RFE/RL reporters from accessing the upper floors.

The exchange layer adds another dimension. A7A5 first traded on Garantex, a Russian exchange sanctioned by the U.S. in 2022 for facilitating money laundering, ransomware payments, and sanctions violations. Despite the sanctions, Garantex operated for three more years. It wasn't until March 2025 that a joint U.S.-EU law enforcement operation finally seized Garantex's domains, confiscated servers in Germany and Finland, and froze $26 million in cryptocurrencies. Two of Garantex's principal operators were indicted by a U.S. grand jury for money laundering.

A7A5 barely blinked. In the weeks before and after the Garantex seizure, billions of A7A5 tokens were shifted to a new exchange called Grinex, first registered in Kyrgyzstan in December 2024. Elliptic reported that five other exchanges replaced Garantex within weeks of its closure. The hydra had already grown new heads before the old one was severed.

The sanctions whack-a-mole: each enforcement action spawns new replacements. (BLACKWIRE / CIPHER)

On August 14, 2025, OFAC sanctioned A7, its subsidiaries, Grinex, Old Vector, and several other linked entities including InDeFi Bank and Exved. The Treasury Department press release explicitly identified the network as enabling "ransomware-linked illicit crypto transactions" and sanctions evasion at scale. The EU followed in October 2025 with its own sanctions package, calling A7A5 "a prominent tool for financing activities supporting Russia's war of aggression."

The sanctions have not stopped A7A5. Every entity in the network already operates outside Western financial channels. A sanctioned exchange closes; another opens. A sanctioned firm is designated; it re-registers under a different name. The entire system was built to withstand exactly this kind of pressure.

IV. Where the Money Goes: Dual-Use Goods and Terror Financing

The $93 billion question: what gets purchased with sanctions-evading crypto? (Pexels)

Follow the money and the picture darkens further. TRM Labs identified that A7 processed approximately $39 billion in transactions directly linked to sanctions evasion in 2025 - a figure roughly equivalent to Russia's entire pre-war annual import bill for high-tech and dual-use goods. The list of cryptocurrency addresses doing business with A7 reads like a directory of sanctions evasion networks.

Many of these addresses are tied to firms in China, Southeast Asia, and South Africa that procure sensitive electronic components, dual-use equipment, and shipping services for Moscow's war effort. This is the pipeline that feeds Russia's drone production, its missile guidance systems, and its electronic warfare capabilities. The EU's concern about dual-use goods being re-exported through Kyrgyzstan to Russia - which prompted Kyrgyzstan to threaten legal action against the bloc in March 2026 - may actually understate the problem. The crypto channel is larger than the physical shipping route.

But it gets worse. TRM Labs has also tied A7-linked wallet addresses to U.S.- and EU-designated terrorist organizations, including Iran's Islamic Revolutionary Guard Corps (IRGC) and Hamas. The platform doesn't just evade sanctions for Russian defense firms. It provides financial infrastructure to designated terror groups.

The connection to the IRGC is particularly significant given the ongoing conflict between the United States and Iran. A financial network built to serve Russia's war machine simultaneously services Tehran's most powerful military organization. The convergence is not coincidental - it reflects the deepening alignment between Moscow and Tehran, now cemented by weapons transfers, intelligence sharing, and shared financial infrastructure designed to circumvent Western economic power.

The Elliptic investigation of September 2025, based on leaked data from Shor-controlled businesses, revealed that A7A5 infrastructure was also used to fund election interference in Moldova's parliamentary elections. The crypto-to-cash pipeline served as a disbursement mechanism for payments to political operatives, media figures, and party organizers aligned with Moscow's interests. Approximately $8 billion in cryptocurrency was linked to Shor's network of sanctions evasion and election meddling, according to the Elliptic analysis.

V. The Western Enablers: Canaccord, Cyprus, and Willful Blindness

The $80 million penalty breakdown - the largest ever against a broker-dealer for BSA violations. (BLACKWIRE / CIPHER)

The A7A5 network operates outside Western financial channels. But the broader ecosystem of Russian sanctions evasion depends on Western institutions that look the other way. The case of Canaccord Genuity, a major Canadian broker-dealer, illustrates how this works.

In March 2026, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) imposed an $80 million civil penalty against Canaccord Genuity LLC - the largest penalty ever assessed against a broker-dealer for violating the Bank Secrecy Act. The SEC added a $20 million fine. FINRA added another $20 million. Canaccord admitted to the findings and agreed to pay.

The FinCEN Consent Order describes years of systematic failures between 2018 and 2024. Canaccord failed to implement an adequate anti-money laundering program. It failed to file at least 160 Suspicious Activity Reports covering thousands of questionable transactions. It failed to conduct basic customer due diligence on high-risk accounts.

Among the clients who slipped through: an individual the order calls "Individual 2," who reportedly spent years helping sanctioned Russian oligarchs move money through Cyprus-based offshore structures. The Globe and Mail identified parallels between "Individual 2" and Demetris Ioannides, founder of MeritServus, a Limassol-based corporate services firm sanctioned by the UK in April 2023 for working on behalf of Roman Abramovich.

A footnote on page 27 of the Consent Order - buried where only the most diligent readers would find it - reveals something the mainstream coverage largely missed. Individual 2 also aided Konstantin Malofeyev, a Russian billionaire sanctioned by OFAC in December 2014 for being "one of the main sources of financing for Russians promoting separatism in Crimea." Malofeyev was sanctioned again in April 2022 for acting on behalf of the Russian government. He runs the Tsargrad media network, a platform for extreme-right ideologue Aleksandr Dugin. He has been the subject of an international arrest warrant.

"For years Canaccord Genuity conducted trades for a Russian oligarch's financial fixer to skirt sanctions, a foreign bank flagged for a high risk of facilitating tax evasion and fraudsters conducting pump-and-dump schemes." - The Globe and Mail, March 2026

Material reported by The Guardian in 2023 based on leaked MeritServus documents showed that up to three years after Malofeyev was sanctioned, MeritServus helped him move money and issue loans - some denominated in U.S. dollars. Canaccord's customer due diligence files contained no reference to Individual 2's publicly reported links to Russian oligarchs during the roughly five-year period between account opening and the third quarter of 2022.

The FinCEN order also describes Canaccord's involvement with stock promoter Joseph A. Padilla, convicted for a pump-and-dump scheme. A separate SEC filing notes that Padilla enlisted four Russian nationals in his scheme who had accounts at Valor Capital, a firm linked to Ivo Zutis, who was in turn reportedly linked to Yevgeny Prigozhin - "Putin's Chef," the late Wagner Group founder.

The pattern is consistent. A Western broker-dealer provides market access without meaningful scrutiny. Sanctioned money flows through. Suspicious transactions go unreported for years. When regulators finally act, the penalty is large in headline terms but small relative to the flows it enabled. Canaccord pays $80 million. The sanctioned assets it helped shield are worth orders of magnitude more.

VI. The Whack-a-Mole Problem: Why Sanctions Keep Failing

Sanctions target entities that already operate outside the system. The fundamental asymmetry favors evasion. (Pexels)

Western policymakers face a structural problem that no amount of sanctions designations can solve. The entities at the core of the A7A5 network - A7, Promsvyazbank, Old Vector, Grinex - are all already under U.S. sanctions. They already operate entirely outside Western financial channels. Their owners have nothing left to lose from additional designations.

The whack-a-mole dynamic is well documented. Garantex was sanctioned in 2022. It operated for three more years. When it was finally shut down via domain seizure in March 2025, five replacement exchanges appeared within weeks. OFAC sanctioned Grinex in August 2025. The token continued trading on other platforms. The EU banned A7A5 transactions in October 2025. The cryptocurrency's turnover still hit $93 billion by year's end.

As Agathe Demarais wrote for Foreign Policy on March 31, 2026: "Addressing sanctions evasion often resembles a game of whack-a-mole: Designate an entity, and it will soon reopen under a different name."

The blockchain's transparency paradox compounds the problem. Every A7A5 transaction is recorded on a public ledger. Western intelligence services can monitor flows in real time. But monitoring is not attribution. Connecting a wallet address to a specific sanctioned firm requires names, documents, or intercepted communications - exactly what A7A5's no-KYC architecture is designed to withhold. You can see the cars on the highway, but none carry license plates.

MiCA, the EU's landmark cryptocurrency regulation, only applies to EU-based exchanges. It cannot reach networks operating entirely outside European jurisdiction. The EU's planned ban on all crypto transactions with Russian counterparties was diluted during negotiations. The U.S. political environment is, if anything, less favorable to crypto enforcement. President Trump launched his own memecoin, embraced dollar-backed stablecoins, and pushed financial deregulation. Donald Trump Jr. attended the Token2049 conference in Singapore where A7A5 was a platinum sponsor - though the token was quietly removed from the program after Reuters inquired.

The regulatory capture runs deeper than individual policy failures. The cryptocurrency industry has become a significant political donor class in the United States. Enforcement actions against crypto-enabled sanctions evasion risk alienating an industry that both major parties now court. The result is a structural incentive to enforce sanctions against the most visible offenders while leaving the underlying architecture intact.

VII. The Treasury Reckoning: 2026 National Risk Assessment

Treasury's 2026 risk assessment names the exact typologies that went unchecked for years. (Pexels)

The U.S. Treasury released its 2026 National Risk Assessments in late March 2026, and the document reads like a postmortem of failures already in progress. The assessment explicitly documents cryptocurrency-based sanctions evasion as a "known laundering methodology." It identifies ruble-to-stablecoin conversion as a specific typology. It flags the absence of KYC controls on swap services as a critical vulnerability.

The legal implications are significant. Prosecutors can now argue that any exchange or financial institution that encounters A7A5-linked transactions is "on notice" that the typology represents sanctions evasion risk. Failure to act beyond filing a Suspicious Activity Report may constitute willful blindness. The Canaccord case already demonstrates this theory - FinCEN argued that publicly available information linking clients to sanctioned individuals was sufficient to trigger enhanced due diligence obligations, regardless of whether the firm's internal systems flagged the risk.

The 2026 TRM Labs Crypto Crime Report quantified what Treasury's assessment described qualitatively. Illicit stablecoin activity reached a five-year high of $141 billion in 2025. Sanctions-related activity accounted for 86% of all illicit crypto flows. The A7A5 token alone represented more than half of all illicit stablecoin volume. These are not marginal figures. This is the central channel of global sanctions evasion.

The scale creates a political problem for Western governments that have predicated their Russia policy on the assumption that sanctions impose meaningful costs. If Russia can move $93 billion through a single crypto channel in a single year - equivalent to one-third of its total imports - then the sanctions regime has a hole large enough to drive a war economy through. The question is no longer whether A7A5 undermines sanctions. The question is whether the sanctions architecture is fundamentally broken.

VIII. The Deeper Game: Building a Parallel Financial System

A7A5 is not just evasion - it's a prototype for a post-dollar financial order. (Pexels)

A7A5 is not merely a sanctions workaround. It is a proof of concept for something larger: a financial system that operates outside the dollar-denominated, SWIFT-connected architecture that has underpinned Western economic power since Bretton Woods. The Kremlin understands that the real weapon is not the token itself but the infrastructure around it.

Consider what Russia has built. A state-backed stablecoin with unlimited liquidity. Exchange platforms that regenerate when shut down. A jurisdictional base in a country (Kyrgyzstan) that is unlikely to cooperate with Western enforcement. A swap mechanism that converts sanctioned currency into globally liquid stablecoins without identity verification. And political cover in the West from a cryptocurrency industry that has captured the regulatory process.

The Putin ribbon-cutting in Vladivostok was not theater. It was a signal - to domestic audiences, to allied states, to the global crypto ecosystem - that Russia's government stands behind this infrastructure. The Kremlin wants other sanctioned economies watching. Iran, North Korea, Syria, Venezuela - any state targeted by Western financial sanctions now has a template for circumvention.

The Foreign Policy analysis noted that A7-linked addresses have been tied to IRGC and Hamas transactions. This is not a bug. It is the beginning of a multi-state sanctions evasion network where Russia provides the financial infrastructure and allied states provide the transaction volume. The ruble-pegged stablecoin becomes the reserve currency of a shadow financial system that serves everyone the West has tried to economically isolate.

Chainalysis head of national security intelligence Andrew Fierman described A7A5 as "a unique sanctions evasion tool." That may understate its significance. It is a unique financial sovereignty tool - one that threatens to make the entire concept of economic sanctions obsolete for states willing to operate outside the Western system.

IX. What Comes Next

The parallel system is already running. The question is whether the West can adapt before it becomes permanent. (Pexels)

The trajectory is clear and accelerating. A7A5 went from zero to $93 billion in a single year. The network has survived U.S. sanctions, EU sanctions, domain seizures, server confiscations, and the arrest of exchange operators. Every enforcement action has been absorbed and routed around. The system was designed for resilience and it is performing as designed.

Several developments will determine whether the A7A5 infrastructure becomes permanent or faces meaningful disruption:

Kyrgyzstan's response. Bishkek's decision to threaten the EU with legal action over dual-use goods restrictions suggests the political will to confront sanctions evasion infrastructure on its soil is minimal. Kyrgyzstan wants to be a crypto hub. A7A5 is the biggest thing happening in Kyrgyz crypto. These incentives do not align with Western enforcement goals.

Tether's role. A7A5's value to sanctioned users depends on the ability to swap into dollar-pegged stablecoins. Tether (USDT) is the dominant off-ramp. If Tether's issuer imposed meaningful restrictions on wallets receiving A7A5-sourced funds, it would constrain the network significantly. But Tether has historically been slow to freeze wallets absent direct law enforcement requests, and the no-KYC swap architecture makes attribution difficult even for cooperative issuers.

U.S. political dynamics. The Trump administration's embrace of cryptocurrency creates a political environment where aggressive enforcement against crypto-enabled sanctions evasion faces headwinds from the industry's lobbying apparatus. The administration's own financial interests in crypto tokens create at minimum the appearance of conflicts of interest.

Secondary sanctions. The most powerful tool available to Western policymakers is secondary sanctions - penalties against third-country firms and individuals that facilitate sanctions evasion. Targeting Kyrgyz financial institutions, crypto exchange operators, and swap service providers could impose costs on the network's infrastructure. But secondary sanctions risk alienating Central Asian states that the West is simultaneously trying to pull away from Russian influence.

The mathematics favor the evasion network. Building a crypto exchange costs effectively nothing. Sanctioning one costs diplomatic capital, intelligence resources, and political will. The asymmetry is structural. Russia can generate new exchange platforms faster than the West can designate them. The A7A5 token can migrate between exchanges faster than regulators can map the network.

The $93 billion ghost is not a single event or a single actor. It is a system - one that was designed by a state, backed by a state bank, operated by a fugitive oligarch, registered in a permissive jurisdiction, and shielded by the structural weaknesses of Western financial regulation and the political compromises of Western governments. It is running now. It will be running tomorrow. And unless something fundamental changes in how the West approaches crypto-enabled sanctions evasion, it will be running next year at twice the scale.

Follow the money. It leads to a ramshackle house in Bishkek where two boys answer the door and say they've never heard of a company. That company moved $93 billion last year.

The ghost has a name. The ghost has an address. The ghost is still operating.

Sources: Foreign Policy, RFE/RL, TRM Labs 2026 Crypto Crime Report, Chainalysis 2026 Sanctions Report, Elliptic, OFAC, FinCEN Consent Order No. 2026-01, U.S. Treasury press releases, ICIJ Cyprus Confidential, The Globe and Mail, Reuters, CoinDesk, Center for Information Resilience. All figures cited from published reports and official government filings.