In March 2025, law enforcement achieved a significant victory. They seized the domain of Garantex, a Russia-linked exchange that had handled over $100 million for ransomware groups and darknet markets since 2019. The funds were frozen. Case closed.
Within days, the same operators launched Grinex. It was a near-identical platform, incorporated in Kyrgyzstan months earlier. The old customer base was migrated over using a new Ruble-backed stablecoin called A7A5. The takedown cut off a node. The network adapted and regrew the node elsewhere, under a different name.
This is not a story about a single stubborn exchange. It is a story about how illicit digital networks actually behave and why research needs to treat them as socio-technical networks, not as technical problems to be solved once. The ENSEMBLE project is researching both the technical problems and the wider socio-technical network.
TRM Labs’ 2026 Crypto Crime Report puts illicit crypto flows at a record $158 billion in 2025. That marks a reversal of years of steady decline and more than doubles the 2024 total. On its own, that sounds like a collapse, but it was not. The illicit share of all crypto activity actually reduced slightly as legitimate use grew faster. The surge was driven overwhelmingly by Russia-linked sanctions evasion, which rose by more than 400 per cent in a year and was mostly routed through the A7A5 stablecoin. Meanwhile, on the darknet, the move is towards privacy. According to TRM, close to half of newly launched markets in 2025 accept only Monero, up from around 40 per cent the year before, as better Bitcoin tracing pushes operators towards privacy coins.
Criminals are not abandoning crypto. They are reorganising around it. Where the pressure is sanctions, the network reassembles around Ruble-backed stablecoins and successor exchanges. Where the pressure is darknet policing, it reassembles around privacy
coins. Different pressure, different shape, same almost institutional logic. That is why we need an adaptable lens to examine these problems.
Actor-Network Lens
Most risk frameworks still treat technology as a thing or a risk to be managed, with a human as the manager controlling the risk. That hierarchy struggles in the digital asset ecosystem.
There is rarely a single actor to arrest. With rapid technological maladaptation to regulatory control, the lines between humans and ‘the AI’ being at fault become blurred. Traditional risk analysis does not align well with this new digital ecosystem.
Actor-Network Theory (ANT) offers a better lens for analysing this field. It grants equal analytical weight to human and non-human actors. Its core idea is simple: do not split the world into passive technology and active people. A developer, a regulator, a smart
contract, a stablecoin, a seized domain, and an investigative AI tool all shape what happens next. The lens asks us to weigh them together rather than crowning any one of them the sole cause. Looked at this way, a takedown does not end a network. It forces it to re-form. Garantex is the clearest example. It turned its own seizure into the starting point for the next version of itself, made A7A5 the channel through which its money now had to move, and shifted its users onto Grinex.
Seen this way, enforcement is not outside the network, looking in. It is part of the network, and every move it makes triggers the next round of rebuilding. That is uncomfortable, but more honest than pretending each takedown is final. We need a clear understanding of how these networks break down and reassemble themselves to have a meaningful long-term impact.
What this means for ENSEMBLE
This is exactly the gap ENSEMBLE is designed to close. The project equips police and investigators across Europe with AI-based investigation tools, training and shared infrastructure for cross-border cybercrime. Several of the consortium’s tools already map
these shifting associations. Pathfinder follows funds as they move between currencies and chains. Dark web monitor tracks how criminal domains and marketplaces resurface over time.
Tools alone are not the answer, and ENSEMBLE does not pretend they are. Social engineering remains the most common entry point. The advantage of a network lens is that it tells investigators where to look next. Map the actors with the most associations, and you can
anticipate where a disrupted network will re-form, rather than only reacting after it has. This is where ENSEMBLE’s contribution becomes concrete. The project builds forensic tools that trace where a disrupted network re-forms and trains investigators across Europe to use them, turning reaction into anticipation. No single takedown is final, but enforcement that can follow a network into its next shape, across the borders it hides behind, changes the odds. The network grows back. ENSEMBLE’s job is to ensure law enforcement grows back with it and gets there first.
Written by Ciarán Conroy, PhD Researcher, Centre for Emerging Risk Studies, University of Limerick.
