AEXbit, Rapira, Aifory Pro — The Five Candidates For The EU's 21st Sanctions Package

### 1. AEXbit — the most likely next OFAC name

AEXbit launched in July 2025 with what TRM Labs describes as "an identical interface" to ABCex, the venue that previously occupied the same floor of Moscow's Federation Tower as Garantex.

ABCex processed at least $11 billion in lifetime volume per TRM and disappeared after a DDoS event in mid-2025. AEXbit launched within weeks, carrying the same coin set (TRX, BTC, ETH, RUB), the same UI design language, and on-chain address co-spend patterns that TRM's clustering analysis ties to ABCex "with near certainty."

The operator network is the Mendeleev-adjacent address cluster — Sergey Mendeleev, OFAC-listed in August 2025, founded Exved and InDeFi SmartBank and is named by iStories and TRM as the architect of the ABCex and now AEXbit operational lineage. The physical address — Federation Tower, Moscow City — is the same.

OFAC has named Garantex, Grinex, Exved, InDeFi, A7 LLC, Old Vector LLC, and Payeer from this exact cluster. AEXbit is the unsanctioned residual leaf as of May 15, 2026. The August 2025 TRM "Imitation Game" report is the most direct public mapping.

### 2. Rapira — Georgia-incorporated, Moscow-operated

Rapira incorporates in Georgia and operates from Moscow. Elliptic documented more than $72 million in direct on-chain flows to sanctioned Grinex. Rapira's Moscow office has reportedly been raided over capital-flight allegations, though the Russian Federation's enforcement against its own cryptocurrency-trading infrastructure has been inconsistent.

The $72 million Grinex exposure is the regulatory dynamite. Direct receipt of funds from an OFAC-designated entity, sustained over months, is the kind of operational pattern that international sanctions enforcement specifically targets.

### 3. Aifory Pro — virtual cards plus Iran nexus

Aifory Pro operates across three jurisdictions: Moscow, Dubai, and Türkiye. The product offering centers on USDT-funded virtual cards marketed explicitly as a way around traditional card-issuer restrictions.

Per Elliptic, approximately $2 million in Aifory Pro flow connects to Abantether, an Iranian crypto exchange. The Iran nexus combined with the card-issuance vector makes Aifory Pro an unusually clean target for OFAC enforcement under existing IEEPA-Iran authority. The April 23, 2026 OFAC action that froze $344 million at Central Bank of Iran wallets demonstrates the current administration's willingness to act on Iran-corridor flows.

### 4. Exmo.me — the non-Russian survivor

Exmo.me is branded as the "non-Russian" survivor of EXMO. Elliptic's investigation showed custodial-wallet sharing with Exmo.com (i.e., the rebrand did not produce a clean operational separation) and $19.5 million-plus direct on-chain exposure to Garantex, Grinex, and Chatex.

The Exmo.com / Exmo.me distinction is the kind of branding-without-substance separation that anti-circumvention tooling specifically targets. The EU 21st package's likely scope expansion would catch Exmo.me through the "established in Russia" test, given the documented custodial-wallet sharing with the Russia-domiciled Exmo.com.

### 5. Envoys Vision Digital Exchange (EVDE) — Kyrgyz-licensed, Rusich-adjacent

EVDE is a Kyrgyz-licensed exchange. RUSI and TRM Labs have documented Rusich Group paramilitary wallet registrations on EVDE. Rusich Group is a Russian private military company sanctioned by the United States for its participation in Russian operations in Ukraine and Africa.

EVDE is one of approximately two hundred crypto exchange and exchange-operator registrations issued by the Kyrgyz Financial Supervisory Authority by early 2026 (per The Diplomat's April 2026 "Welcome to Cryptostan" report). Kyrgyz licensed turnover in 2025 was $20-32 billion across these venues, approximately two to three times Kyrgyz GDP. From January 1, 2026 the Kyrgyz authority introduced a 10 billion KGS (~$115,000) authorized-capital floor to clean out shell registrations; EVDE cleared this floor.

Brand-name exchanges in the Russia corridor have an effective twelve-month half-life. Garantex shut down, Grinex stood up, Grinex was sanctioned, TokenSpot stood up, TokenSpot was hit. Each successor required a new individual designation cycle that took six to twelve months. Article 5bb of the EU 20th package finally removes the cycle for Russia-domiciled CASPs specifically — but the cycle continues for adjacent jurisdictions until anti-circumvention tooling extends.

The durable layer is the operator network, not the brand. The named individuals are:

- **Aleksej Besciokov** — Garantex co-founder. Arrested Kerala, India, March 12, 2025. Three felony charges (max 45 years). Awaiting US extradition. The arrest closed his operational role. - **Aleksandr Mira Serda** (Ntifo-Siao) — Garantex ex-CCO. Russian, at large in UAE. US State Department $5 million reward. UAE has no extradition treaty with the United States. OCCRP and Transparency International Russia document Mira Serda's continued operational role from Dubai. - **Sergey Mendeleev** — OFAC-listed August 2025. Founded Exved, InDeFi SmartBank. Named by iStories and TRM as the architect of the ABCex / AEXbit operational lineage. - **Alexander Lebedev** — former KGB/SVR. Co-founded InDeFi SmartBank per iStories. Not OFAC-listed for crypto activity as of this writing; the OFAC-listed designation for Lebedev relates to non-crypto matters. - **Pavel Karavatsky** — named in TI-Russia's "Crypto Laundromat" investigation as leadership of the Moscow-City cluster of approximately twenty venues around Mendeleev's network. - **Mohammad Khalifa** — multi-jurisdictional Garantex representative across UAE, Spain, Thailand, and Hong Kong per TI-Russia.

The operator network is geographic. Federation Tower in Moscow City is the physical hub. Dubai is the offshore operational center where Mira Serda has been located since arrest avoidance became necessary. The Kyrgyz licensing layer is the regulatory-arbitrage backbone.

For the EU's 21st package to produce durable consequence, the designation will need to extend beyond venue brands to the operator network and the geographic anchors. The Commission's stated "architecture" focus in the 20th package suggests this is the next move.

While the exchange whack-a-mole has played out, the A7A5 / RUBx / RT-Pay stablecoin infrastructure has expanded geographically.

A7A5 cumulative on-chain volume crossed $119.7 billion per Elliptic's anniversary analysis. Daily volume sits at approximately $175 million per Cryptopolitan, with 99-plus percent of the activity on TRON.

The A7 corporate entity has opened a Nigerian office, announced a Zimbabwe launch, and is hiring in Togo per RFE/RL, intellinews, and FT-cited reporting. The geographic expansion follows the 1990s offshore-banking template: as primary jurisdictions become hostile, the asset's commercial footprint shifts to jurisdictions with less developed financial-sanctions enforcement.

RUBx — the separate Rostec-issued ruble stablecoin announced in July 2025 — and its RT-Pay payment hub will roll out in phased domestic deployment through 2026. Both are on the EU 20th package banned-asset list. Both are TRON-based.

The durable target is the TRON settlement layer carrying both A7A5 and RUBx. The brand-level exchange designations are downstream of the settlement layer. Sanctions enforcement that pivots to settlement-rail disruption — analogous to the 1990s correspondent-USD-access disruption that finally killed Caribbean offshore banks — is the structural counter.

Five operational items for EU CASPs in the window before the 21st package:

1. **Block transactions involving the five named candidates today**, before they appear on any sanctions list. The TRM, Elliptic, and Chainalysis intelligence is sufficient evidence for risk-based due diligence to refuse the counterparty.

2. **Apply the "established in Russia" test at the entity level**, not just the brand level. Rapira (Georgia-incorporated, Moscow-operated) and Exmo.me (custodial-wallet sharing with Russia-domiciled Exmo.com) both fail the substance test even if they pass a naïve domicile check.

3. **Screen the operator-network beneficial-ownership graph.** Wallet activity by named operators (Mendeleev, Mira Serda, Karavatsky, Khalifa) should be flagged at the wallet level and propagated to all entities with beneficial-ownership overlap.

4. **Monitor for A7A5 contract-level activity** at `0x6fA0BE17e4beA2fCfA22ef89BF8ac9aab0AB0fc9` (Ethereum) and `TLeVfrdym8RoJreJ23dAGyfJDygRtiWKBZ` (TRON). Both will be banned for EU CASP transactions from May 24, 2026.

5. **Treat Kyrgyz licensure as a higher-scrutiny indicator**, not a clean-bill-of-health indicator. The 200+ Kyrgyz licensed venues include EVDE and many others with documented Russia-corridor operational nexus.

For Sanctuary's screening: all five candidate venues (AEXbit, Rapira, Aifory Pro, Exmo.me, EVDE) carry High to Critical scores with `russia_corridor_successor_2026` provenance. Mendeleev, Mira Serda, and adjacent operator addresses inherit Critical scores propagated to beneficial-ownership clusters.

Brand-level sanctions designate exchange brands. Operator-level sanctions designate the people and infrastructure that move from brand to brand.

The Russia-corridor exchange pattern has produced four years of brand-level designations. Each designation closes one venue and produces a successor within six to twelve months. The pattern is structural; it will continue until enforcement shifts from brands to operator networks.

The EU 20th package shifts from brand to category (jurisdiction). The 21st will need to shift to operator (people, infrastructure, ownership). The candidate venues are visible today. The operator addresses are visible today. The settlement layer (TRON-A7A5 corridor) is visible today.

Screen the operator graph, not the brand. The brand will change next quarter.