What is Global Ledger?

Global Ledger is a Swiss blockchain analytics company delivering fast, end-to-end AML compliance and investigation tools. Founded in 2019, we support over 2,000 digital assets and manage a database of over 700 million attributed addresses, updated daily. We perform 250,000 AML checks and monitor 30 million wallets every day. With an average response time of just 500ms and private server deployment options, Global Ledger combines speed, scale, and security.

Which blockchains does Global Ledger analyse?

Currently, the following blockchains are supported: Bitcoin (BTC) Bitcoin Satoshi Vision (BSV) Litecoin (LTC) Ethereum (ETH), including top tokens Tron (TRX), including top tokens Binance Coin (BNB) Polygon (MATIC) Arbitrum (ARB) Base (ETH) Avalanche (AVAX) Moonbeam (GLMR) Polkadot (DOT) Solana (SOL) TON.

How is the GL Score calculated?

The GL Score is a number from 0 to 100 that shows the degree of risk: low, medium, and high. Each score is represented by a corresponding color: green indicates low risk, yellow indicates medium risk, and red — high risk. The risk score is derived from the assessment of the riskiness of sources contributing to a requested address or transaction. To calculate the score, the algorithm analyzes incoming transactions, assesses the risk of identified sources, and calculates a score on a scale from 0 to 100. This score provides an indication of the potential level of risk associated with the address or transaction based on the evaluated sources and their associated activities. Learn more about risk score calculation from our blog article.

What are your data sources?

The Global Ledger team regularly collects and constantly analyses publicly available information, open data from the top blockchains, replenishes the internal information base by conducting its own investigations, as well as data purchased from reliable vendors.

What if I need help ASAP?

Our support team stays in touch 24/7 to provide clients with the most comfortable service and experience in case of unexpected hacks or cyberattacks. Please send your request with a brief description of your case to contact@globalledger.io, and our manager will reach you shortly.

How Garantex Processes Payouts Despite Sanctions

Key Highlights:

Global Ledger has identified new Garantex-linked wallets on Bitcoin and Ethereum used to process customer payouts despite sanctions.
At least ~$25 million in crypto has already been paid out to former Garantex users.
Payouts appear to be only in the initial phase: over 88% of ETH payout reserves remain unspent.
The payout system relies on aggregation wallets, mixers, and cross-chain protocols to obscure fund flows.
Wallets involved in payouts and reserves show direct exposure to major CEXs.

Even after U.S. and EU sanctions, Garantex continues processing customer payouts in BTC and ETH.

Following Garantex’s public announcement on July 30, 2025, the Global Ledger research team conducted a new investigation into Garantex payouts to identify the wallets, fund flows, and mechanisms behind them. The findings show that sanctions have not stopped the activity — instead, Garantex has adapted its payout infrastructure.

Chain of events: how the payout scheme works

1. Identification of new payout wallets

After Garantex announced the start of BTC and ETH payouts, Global Ledger traced new wallets linked to Garantex and reconstructed their role in the payout process.

In total, the investigation team has traced:

Over 3200 ETH (~$9.6 million at the time of investigation).
More than 260 BTC (~$24+ million) used to support customer payouts and reserves.

2. Activation of reserves after the seizure

On the day Garantex’s servers were seized (06.03.2025), one Ethereum wallet accumulated 3,256 ETH in a single day. Shortly after, 99.91% of these funds were transferred to the Tornado Cash mixer.

Screenshot of the Global Ledger Entity Exposure report for Garantex wallet 0xbc6…5de77

On Bitcoin, previously dormant reserves began to consolidate in March 2025, indicating preparation for payouts rather than isolated movements.

3. Cross-chain obfuscation of Ethereum payouts

Ethereum payouts rely heavily on cross-chain bridges and intermediary wallets. Funds were moved through:

Across protocol bridge
Relay.link bridge
Unit’s wallet (Global Ledger identified a single aggregation wallet linked to Garantex holding 3,206.15 ETH; 99.1% of the funds originated from Unit’s wallet.)

Screenshot of the Global Ledger Entity Exposure report for Garantex aggregation wallet

Assets were transferred between Ethereum, Optimism, and Arbitrum, using wallets created solely to obscure the transaction trail before funds reached payout wallets.
The image below shows how the scheme operated — from the moment of seizure to the identified payout wallet:

Garantex payout scheme

4. Aggregation before distribution

Rather than paying users directly from reserves, Garantex used aggregation wallets that consolidated funds before distribution.

Only 0.01% (46.15 ETH) has been paid out so far, while the majority of ETH remains in reserve. Additional transfers to CEXs and cross-chain protocols suggest preparation for further payout phases.

5. Bitcoin payouts linked to major CEXs

Bitcoin payouts appear more centralised. Our research team has identified:

Two primary BTC payout wallets, both linked to an aggregation wallet that received 198.90 BTC.
Additional payout and HODL wallets containing an additional 70.34 BTC.
Several source wallets showing direct exposure to one of the largest CEXs, with transaction “change” consistently routed to CEX deposit addresses.

What this means for CEX compliance officers

These payout mechanisms create multiple compliance and exposure risks for centralized exchanges:

Sanctioned entities continue to leverage infrastructure, including leading CEXs, which unintentionally become money laundering channels.
The structure of fund flows shows deliberate layering: reserves → mixers/protocols → aggregation wallets → obfuscating cross-chain hops → final payout wallets.
Cross-chain activity is a critical blind spot if monitoring remains single-chain.
Indirect exposure via aggregation wallets and bridges can connect CEXs to sanctioned flows without obvious red flags.
Early payout stages mean risk is still unfolding, not finished.

Conclusion

The Garantex payout case illustrates a broader reality: sanctions alone do not stop activity. Instead, sanctioned actors adapt by restructuring fund flows through aggregation wallets, mixers, and cross-chain infrastructure — often reaching compliant platforms indirectly.

For CEX compliance teams, the key risk lies not in obvious exposure, but in hidden connections: payout aggregation wallets, cross-chain hops, and counterparties that appear low-risk in isolation.

Global Ledger enables early detection of exposure before it becomes a blind spot with KYB and KYT solutions — combining entity exposure and risk reports, real-time transaction monitoring with AI-powered alerts, and fund flow visualization.

Schedule a Demo

Global Ledger's new features: Compliance Memory and GL Lens

Cut Compliance Time & Cost With Compliance Memory and GL Lens Features

How Global Ledger’s new features help VASPs react faster, stay consistent, and remain audit-ready at any moment.

How Not to Be Hacked: A Quick Guide Based on Real-World Crypto Hack Cases

A practical guide based on real cases showing how crypto hacks work — and how to stay safe.