Author: TrustIn, Stablecoin Anti-Money Laundering Infrastructure
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has issued new sanctions notices targeting several transnational illicit financial entities. Two key groups on the list have drawn industry attention: one is the Russian-based bulletproof hosting (BPH) provider Aeza Group and its executives; the other is the Picado Grijalba criminal organization based in Costa Rica. These two types of entities share a common characteristic: they each play a specific role in the flow of illicit funds.
The operating model and legal exemption traps of bulletproof mainframes (BPHs)
When researching service providers like Aeza Group, it's crucial to first clarify the fundamental differences between bulletproof hosting and standard cloud services. Standard VPC (Virtual Private Cloud) or hosting providers typically adhere strictly to the Digital Millennium Copyright Act (DMCA) and compliance requirements of various jurisdictions. Upon receiving complaints of abuse or legal enforcement requests (such as shutting down illegal DDoS nodes or phishing websites), these providers act swiftly.
However, the core business model of bulletproof hosting providers, such as Aeza Group, is based on "refusal to cooperate." These providers offer customers an operating environment that can resist administrative interference by deploying physical servers in specific jurisdictions and using sophisticated network routing technologies to conceal the actual location of the data centers.
According to the sanctions details disclosed by OFAC, Aeza Group is not a single entity. Its executives, Maksim Makarov and Ilya Zakirov, constructed a distributed hosting matrix through shell companies such as Smart Digital Ideas DOO (registered in Serbia), Datavice MCHJ (registered in Uzbekistan), and Hypercore Ltd. (established in various European locations). The significance of this structure is that even if a front-end domain is blocked, illicit trading protocols running on the back end—such as the liquidation processes of Grinex and its predecessor Garantex—can continue to operate.
This architecture directly resulted in illegal trading platforms being able to maintain over 90% node online rate even when facing global blockades by 2025.
Clearing Hub in Russia's Parallel Financial Stack: The Niche of A7A5 Stablecoins
The physical support provided by the armored mainframe is a crucial component of Russia's construction of a parallel financial stack. Due to the disruption of traditional SWIFT settlement channels, Russian-affiliated entities shifted to a highly centralized stablecoin settlement model in 2025. Among these, the ruble-pegged stablecoin A7A5 became the core of this clearing network.
In 2025, A7A5's total transaction volume exceeded $72 billion. This was not the result of retail trading, but rather highly structured institutional activity. By analyzing the A7 wallet cluster (with approximately $38 billion in associated funds), we can observe a clear "transfer-aggregation" pattern. Funds typically flow out of sanctioned entities and into non-compliant VASPs (Virtual Asset Service Providers) running on Aeza Group servers, where asset shuffling or cross-chain conversions are completed at these nodes.
It's called a "parallel financial stack" because this system forms a self-sufficient closed loop, from hardware (Aeza's servers), assets (A7A5 stablecoin), to channels (non-compliant VASPs). A7A5 is not only used for cross-border trade settlement but is also widely used for ransomware and profit distribution in cybercrime. In this closed loop, the bulletproof host not only carries the clearing protocol but also provides geographical deception for each transaction through its own IP asset pool, making it difficult for traditional geofencing-based compliance tools to identify the true origin of these transactions.
The Necessity of Asset-Level Risk Audits: Token Attributes and Joint Liability for Sanctions
With Aeza Group and A7A5-related wallet clusters being explicitly flagged by OFAC, the risk control logic in the crypto industry has changed. In previous analyses, assets themselves were often considered neutral containers, and only the identities of the transacting parties were the basis for compliance judgments. However, the action on January 22nd re-emphasized the concept of "asset-level risk."
When A7A5 is characterized as a tool controlled by sanctioned entities and used to evade regulation, holding, liquidating, or providing liquidity for this token itself creates compliance flaws. For financial institutions, this is not merely a matter of identifying black addresses, but requires "multi-layered screening" of every token protocol in the asset pool. If a liquidity pool is heavily flooded with A7A5 generated through Aeza custodian nodes, the overall risk level of that pool should be reassessed.
This dual audit logic based on "assets + physical foundation" is an inevitable product of coping with the complex financial environment of 2026. With the total amount of illicit funds rebounding to a high of $158 billion in 2025, any risk control system that ignores the compliance of the underlying infrastructure may fail in the face of such systemic evasion strategies.
After dismantling the physical foundation of digital infrastructure, the other end of the sanctions list on January 22nd points to the exit mechanisms for illicit fund flows. If the Aeza Group provides a "blockade-resistant" survival space, then the Costa Rican Picado Grijalba organization demonstrates a "retailization" cover logic for assets when settling in the physical world.
Retailization as a Cover: Structural Transformation of Asset Outflow Logic by Real Business Operations
The core of Picado Grijalba's operations lies in its deep penetration of the business ecosystem surrounding the port of Limón in Costa Rica. Unlike traditional models that rely on large offshore accounts for multi-layered transfers, this organization exhibits strong localization in the asset off-ramp phase. According to the disclosed list of associated entities, beauty salons, fishing companies, and real estate agencies are among the final nodes in the asset conversion process.
This choice has a clear economic logic. Beauty salons, small retail outlets, and the fishing trade typically feature high-frequency cash transactions, difficulties in standardizing labor costs, and relatively vague business growth logic. These physical business nodes, upon receiving crypto assets, can transform them into part of their daily operating revenue. For example, crypto assets from the illicit trade can be converted into seemingly legitimate operating income by fabricating service appointments, inflating the average price of a single service, or artificially increasing raw material procurement costs in beauty salons controlled by the organization. This method effectively combats monitoring algorithms based on large, abnormal transactions by "granularizing" and embedding illicit liquidity into the service industry.
The sophistication of this "retail-oriented" money laundering lies in its exploitation of consistent business logic. In active trading areas like the port of Limón, the fuel consumption, parts replacement, and outsourced labor costs of fishing companies fluctuate significantly, providing excellent cover for the entry of illicit funds. This method no longer attempts to conceal the origin of the funds, but rather tries to reshape the pedigree of the funds by "creating legitimate business activities."
Geopolitical Game: The Financial Loop of Limón Port and the Global Trading Network
The Picado Grijalba organization's control over the port of Limón—particularly the Moín container terminal—is not merely logistical control, but also financial settlement support. As a key hub for global cocaine trafficking, the port's business volume dictates a significant demand for cross-border value hedging in the region.
The organization's industrial layout perfectly aligned with this geographical characteristic. By controlling supporting service companies along the logistics chain, the Picado network achieved an evasion model of "integrated trade and finance." They were not only responsible for the physical transfer of goods, but also used their controlled industrial networks to provide collection and payment services to downstream criminal networks. Under this model, the cross-border movement of funds no longer manifested as simple currency transfers, but rather as "trade differences" or "service fee expenditures."
In a 2025 analysis of crime flows, stablecoins accounted for nearly 90% of crypto asset flows in Central and Latin America. The Picado organization is a local actor in this trend. They leverage the instant liquidation capabilities of stablecoins to rapidly convert illicit proceeds from European or North American markets into real assets in Costa Rica. This "cloud-based revenue, local consumption" model shortens the time funds remain under regulatory scrutiny and increases the geographical difficulty of tracing their origins.
Business Logic Auditing: The Transition from Identity Verification to Authenticity Penetration
The Picado Grijalba case challenges existing defenses by demonstrating that even legally licensed businesses with physical locations can become key nodes in the global money laundering supply chain. The beauty salons and investment consulting firms on the list may superficially appear to fully comply with regulatory requirements in terms of legal status, registration documents, and tax records.
This means that the identification of such risks must shift from "verifying who the legal entity is" to "verifying what the business is doing." For example, when a fishing company's book profits continue to grow, but the frequency of its associated cryptocurrency deposits deviates significantly from the seasonal characteristics of fishing, or its average transaction value far exceeds the industry average, this deviation from business logic should be considered a key risk indicator.
Under the pressure of sanctions in 2026, this kind of "micro-infiltration" has become a common strategy for illicit financial systems to evade on-chain traceability. Picado organizations are not merely laundering money; they are actually building a "credit pool" based on real-world assets. These pools not only absorb their own illicit proceeds but also provide highly covert redemption services for other transnational criminal networks. For any financial system involved in these transactions, identifying this "real-world fingerprint" hidden behind ordinary business transactions has become the last line of defense against systematic evasion strategies.
Part Three: The Core of the Whole Stack – The Closed Loop of A7A5 Stablecoin and Parallel Liquidation System
In the cross-border flow of digital assets, the physical stability provided by infrastructure and the exit channels provided by real-world nodes require a highly liquid medium that can bypass traditional bank monitoring to connect them. On-chain data from 2025 to early 2026 shows that the Russian-linked ruble stablecoin A7A5 is playing this role as a "full-stack link." According to an industry report in early 2026, A7A5's total transaction volume exceeded $72 billion in the past year (some research institutions believe it is close to $100 billion), and its scale is no longer a simple market activity, but a clearing protocol with sovereign-level hedging characteristics.
A7A5's operating logic differs significantly from traditional USD stablecoins. Its issuance and liquidation do not rely on centralized custodians controlled by the US, but rather operate on a closed node network supported by Bulletproof hosting providers such as the Aeza Group. This deep integration of "hardware + assets" ensures that A7A5 can maintain liquidation efficiency through dynamic migration of the underlying protocol even when facing global wallet blocking. Tracking the A7 wallet cluster (involving approximately $38 billion in traffic) reveals a highly structured interaction with Latin American retail nodes such as the Picado network: large amounts of cross-border profits undergo initial aggregation through A7A5, are then converted into more liquid mainstream assets in non-compliant VASPs hosted on Bulletproof servers, and finally distributed to real-world exit points around the world.
The establishment of this parallel clearing system effectively creates a "quarantine zone" within the global financial system. Within this zone, the flow of funds no longer follows the logic of SWIFT, but rather the logic of a "new physical layer" defined by BPH physical nodes. For regulators, the challenge of A7A5 lies in its ability to spread risk from a single address to the entire token ecosystem—when all issuance, redemption, and transfer of a token operate on uncontrolled infrastructure, the asset itself becomes a systemic compliance red line.
Part Four: Integration of the LaaS Model – From “Money Laundering Solution” to “Money Laundering Platform”
The underlying logic exposed by the latest sanctions is the full maturity of the Laundering-as-a-Service (LaaS) model. Current illicit financial networks are no longer sporadic, temporary transfer channels, but have evolved into a leasable and integrable "full-stack service platform." On this platform, Aeza Group provides "data center leasing and defense services," while the Picado network provides "business acceptance and cash conversion services."
This service-oriented model significantly lowers the barrier to entry for cross-border crime. A typical money laundering client (such as a ransomware organization or drug trafficking ring) only needs to purchase a complete IaaS solution: First, they access an anonymous clearing protocol via the API on the Bulletproof server; second, they transfer profits across borders using the A7A5 stablecoin; and third, they complete the final withdrawal through "industrial boutiques" like Picado, located in Costa Rica or Southeast Asia. This streamlined collaboration eliminates the need for criminals to manage complex money laundering processes themselves; they only need to pay a service fee to utilize this readily available, stress-tested infrastructure.
In 2025, this platform-based collaboration led to a significant reduction in money laundering cycles during crime flow monitoring. Previously, money laundering processes involving complex cross-border business operations could take months, but with the support of LaaS (Information as a Service), through high-frequency, automated asset conversion and pre-set business transaction hedging, the entire cycle has been compressed to within 45 days. This increased efficiency is essentially a "network effect" resulting from the completion of a fully closed loop in the money laundering supply chain at both the digital and physical ends.
Part 5: The Future of Penetration Auditing – From Identity Verification to Behavioral Fingerprinting and Physical Traceability
The latest sanctions announcement has effectively defined a completely new paradigm for the defense logic of financial institutions. When illicit funds are deeply embedded in the algorithms of bulletproof servers or disguised in the financial documents of beauty salons, traditional KYC (Know Your Customer) based on "person/company name" has reached its limit. Future compliance work must shift towards "full-stack auditing".
This transformation requires financial institutions to have the ability to identify "physical fingerprints." For example, when a VASP client claims to operate in a compliant region, but its back-end traffic frequently maps to known IP ranges of Aeza Group, this physical-level fraud should directly trigger the highest level of risk warning. Similarly, audits of industrial clients require in-depth monitoring of "business logic deviations." Financial institutions need to analyze: Does the asset flow of a fishing company located near a port align with the economic cycle of the fishing season? Does the frequency of its cryptocurrency transactions deviate from the growth curve of its fiat currency inflows?
Under the intense global regulatory pressure of 2026, this ability to penetrate the entire "full-stack" pathway will become a core variable determining the security of a financial system. Illegal financial networks are building a "second world" that evades sanctions by combining digital infrastructure with physical businesses. Identifying and blocking these patterns of connection that cross the boundaries between digital and physical worlds, and understanding the operational logic of money laundering as a systemic service, is not only an inevitable direction for professional research but also a core benchmark for assessing the future boundaries of financial security.
TrustIn – Intelligent risk management, insightful perspectives, and safeguarding regional compliance.
US Department of the Treasury , Release SB0368 , January 21, 2026.
US Department of the Treasury , Release SB0369 , January 22, 2026.
