TLDR:
- TRM Labs assessed with high confidence that Cryptomus and Heleket share the same operators and infrastructure.
- Heleket’s illicit inflow ratio is nearly five times higher than the payment service provider average in TRM data.
- Garantex, a sanctioned Russian exchange, served as the primary liquidity source for both Cryptomus and Heleket.
- Cybercrime actors, including CSAM vendors, migrated from Cryptomus to Heleket after mandatory KYC controls were introduced.
Cryptomus, a Russia-linked cryptocurrency payment processor, may have launched a parallel service called Heleket to continue processing illicit funds.
This follows a record CAD 177 million penalty issued by Canada’s FINTRAC in October 2025. Blockchain intelligence firm TRM Labs assessed with high confidence that both platforms share the same operators.
Heleket’s illicit exposure runs nearly five times the payment service provider average, with sanctions-linked entities driving the majority of flagged inflows.
Shared Infrastructure Points to Common Ownership
TRM analysts found multiple off-chain connections linking Cryptomus and Heleket. Both platforms use the same privacy-focused domain registrar and share identical branding elements. Unique phrases on their websites, not observed elsewhere, further point to a common origin.
Personnel overlap also supports the connection. One administrator appears to operate across both services and is likely based in the Baltics.
A Cryptomus administrator on Telegram admitted the two entities had “entered into certain agreements,” while still claiming they were separate operations.
Users on technology forums noticed the similarities early. One post from March 2025 noted that existing Cryptomus credentials worked to log into Heleket directly. That level of access crossover is unusual for two genuinely independent platforms.
Structural similarities extend beyond branding. Both charge a matching 0.4% fee for payment processing. Both require users to submit project descriptions for approval, a practice they call “project moderation,” rather than standard Know Your Business procedures used by regulated institutions.
Garantex Served as Liquidity Source for Both Platforms
The first large inflows into Heleket’s wallets came from Garantex in January 2025. Garantex is a sanctioned Russian exchange that also maintained a liquidity relationship with Cryptomus. This type of sourcing is uncommon for any registered payment processor.
TRM observed transaction patterns between Cryptomus and Garantex consistent with a liquidity provider arrangement. Large, rounded-value transfers flowed regularly between the two. Regulated virtual asset service providers typically avoid sanctioned entities entirely.
Heleket’s on-chain volume grew sharply after Cryptomus introduced mandatory KYC controls in February 2025. Cryptomus saw monthly volume fall from approximately USD 153 million in January to USD 86 million by March. Heleket’s rise during the same period appears directly tied to that decline.
TRM tracked several cybercrime actors, including CSAM vendors, migrating from Cryptomus to Heleket at that time. The timing aligns with the incentive to move toward a platform with fewer identity verification requirements.
Heleket’s Illicit Ratio Raises Industry Concerns
Heleket’s incoming illicit volume sits at approximately 0.6% of total inflows during 2025. While that figure appears modest in isolation, it is nearly five times the average rate recorded across payment service providers in TRM data for the same period.
Sanctions-related entities account for 60% of those flagged inflows, with Garantex as the primary source. Russian darknet markets and cybercrime service providers make up much of the remaining exposure.
Between April and May 2025, Heleket accounted for over 80% of combined illicit flows between the two platforms. That share later stabilized near 45% through the end of 2025, still disproportionate given that Heleket represented only about 30% of total combined volume.
Xeltox Enterprises Ltd., the company behind Cryptomus, is currently appealing the FINTRAC penalty. The firm claims no knowledge of or control over the flagged transactions. If regulators establish an operational link between Cryptomus and Heleket, that argument may not hold.
