CertiK: Russia’s A7A5 Took 43% of Non-USD Stablecoin…

A Russian-ruble-backed stablecoin called A7A5 has captured roughly 43% of the global non-USD stablecoin market within one year of launch, processing over US$110 billion in cumulative on-chain transactions despite coordinated US, UK and EU sanctions. That finding sits at the centre of CertiK’s 2026 Skynet Stablecoin Threat Intelligence Report, which documents what the security firm calls the most consequential example of state-sponsored sanctions evasion the digital asset ecosystem has yet seen.

A stablecoin built outside Western enforcement

A7A5 was issued in January 2025 by Old Vector LLC, a Kyrgyz entity acting on behalf of Russian cross-border-settlement firm A7 LLC. A7 LLC is co-owned by Moldovan-Russian oligarch Ilan Shor — convicted in absentia of the 2014 theft of approximately US$1 billion from three Moldovan banks — and Promsvyazbank (PSB), the Russian state-owned bank that services the country’s defence-industrial complex.

The architecture is structurally circular. PSB holds the ruble collateral that backs the token. PSB owns the Tokeon platform that processes its transactions. PSB is half-owner of A7 LLC, the operating entity. Old Vector, A7 LLC and Tokeon are all under overlapping US, UK and EU sanctions designations. No independent audit or reserve attestation has been published.

The contract itself is a near-direct lineage of Tether’s USDT contract, with privileged owner, compliance and accountant roles supporting blacklisting, fund destruction (logged on-chain as dirtyShares), pausing and rebasing functions. CertiK frames this as a deliberate design philosophy: replicate USDT’s centralised architecture, but locate issuer, collateral and compliance authority beyond Western reach.

Sanctions named A7A5 for the first time — and the curve didn’t blink

The international response has been genuinely unprecedented. In August 2025, OFAC designated Old Vector, Grinex (the successor to seized exchange Garantex) and individuals tied to the A7 network. The EU then went further: its 19th sanctions package (effective 25 November 2025) became the first sanctions instrument anywhere to place an explicit transaction ban on a named cryptocurrency, listing A7A5 directly in Annex LIII of Regulation 833/2014.

The EU’s 20th package, effective 24 May 2026, broadened the perimeter again — adding Rostec’s RUBx and Russia’s digital ruble to the named-token list and, under a new Article 5bb, imposing a categorical ban on transactions with any crypto-asset service provider established in Russia. Uniswap added A7A5 and its wrapper wA7A5 to its frontend blocklist in November 2025.

None of it has slowed adoption. CertiK’s holder data shows almost perfectly linear growth from approximately 13,000 to 29,000 holders between February 2025 and May 2026, with no observable inflection at any sanctions event. The report identifies two explanations: a yield-retention mechanism that passes 50% of PSB deposit interest to holders via rebasing (something neither USDT nor USDC does), and a structurally non-Western user base — Russian, Kyrgyz, Belarusian, Central Asian — for whom Western sanctions create no exit pressure.

The African vector

The most urgent unresolved risk CertiK flags is geographical expansion. A7 has established offices in Nigeria and Zimbabwe, with Togo potentially next. PSB Deputy Chairman Dorofeev visited Madagascar in January 2026 for discussions with its new military government, explicitly stating an ambition to establish a financial “corridor” in southern Africa. At the Russia-Africa Partnership Forum in Cairo, Foreign Minister Lavrov invited all African nations to join the A7 network.

The structural problem is that no African jurisdiction has been formally engaged by OFAC, HM Treasury or the EU on A7A5-related exposure. Banks in Nigeria, Zimbabwe, Togo and Madagascar that maintain correspondent relationships with Western-aligned institutions risk acquiring secondary-sanctions exposure simply by processing flows from A7-linked local fronts such as Lagos-based Pilot Finance Limited. CertiK identifies this as “the most actionable gap in the current international response.”

Adjacent laundering exposure

The report also documents direct exposure between A7A5’s parent ecosystem and ransomware proceeds linked to Conti, Black Basta and LockBit, as well as DPRK-attributed funds including more than US$30 million traced from the 2023 Horizon Bridge hack. No public evidence shows A7A5 itself has been the issuance vehicle for these flows, but the venue overlap — particularly through Garantex and successor Grinex — means a meaningful share of A7A5 activity touches wallets with prior illicit-flow exposure.

A single point of failure has also emerged. Grinex, the primary A7A5 trading venue carrying approximately US$11.2 billion in A7A5/RUB and US$6.1 billion in A7A5/USDT activity, was reportedly hacked for around US$15 million in April 2026 and suspended operations. The exchange attributed the attack to “foreign intelligence services.” No comparable alternative venue exists at scale.

The broader exploit landscape

The other half of the report covers conventional stablecoin infrastructure exploits, where CertiK identifies a clear shift in the attack surface. Bridge and interoperability protocols remain the highest-value target — 2026 bridge-related losses already exceed US$328 million, dominated by the US$291.3 million Kelp DAO wallet compromise in April.

Wallet compromise has overtaken code vulnerabilities as the dominant exploit vector across the largest 2026 DeFi incidents by value. CertiK’s top-20 incident list for 2026 is led by Kelp DAO (US$291.3M, wallet compromise), Drift Protocol (US$285.3M, wallet compromise), Step Finance (US$27.3M, wallet compromise), Resolv (US$26.8M, wallet compromise) and Rhea Finance (US$18.5M, price manipulation). The pattern echoes the same operational-security shift that CertiK’s April 2026 Skynet Regulatory Report identified: 76% of 2025 on-chain losses came from infrastructure compromises rather than code-level exploits.

The attack surface is also widening beyond DeFi. As stablecoins integrate deeper into traditional finance, attackers are increasingly targeting compliance infrastructure, KYC providers, payment APIs and sanctions screening systems — attack patterns that more closely resemble traditional financial crime than earlier crypto exploits.

Practical guidance for compliance teams

CertiK closes with operational recommendations. Compliance teams should treat ruble-pegged stablecoins as high-risk by default, regardless of the issuing entity’s stated jurisdiction. They should screen for A7A5 contract addresses explicitly — Ethereum (0x6fA0BE17e4beA2fCfA22ef89BF8ac9aab0AB0fc9) and Tron (TLeVfrdym8RoJreJ23dAGyfJDygRtiWKBZ) — even though OFAC has not yet added them to the SDN list.

The report also recommends tracking behavioural and on-chain continuity rather than entity names, given the Garantex-to-Grinex rebrand pattern, and assessing correspondent banking exposure in Nigeria, Zimbabwe, Kyrgyzstan and the UAE. A separate caution covers A7’s “Digital Promissory Notes” — a hybrid instrument exchangeable for local cash via a Telegram bot, which removes value from the public ledger entirely until the next conversion event, creating a gap analogous to trade-based money laundering.

FAQ

What is A7A5?
A7A5 is a Russian-ruble-backed stablecoin launched in January 2025 by Old Vector LLC, a Kyrgyz entity acting on behalf of Russian cross-border-settlement firm A7 LLC. A7 LLC is co-owned by sanctioned Moldovan-Russian oligarch Ilan Shor and the sanctioned Russian state-owned bank Promsvyazbank. Within one year, A7A5 processed over US$110 billion in cumulative on-chain transactions and captured approximately 43% of the global non-USD stablecoin market.

What sanctions apply to A7A5?
A7A5 has been the subject of the most coordinated multi-jurisdictional sanctions response ever applied to a specific stablecoin. OFAC designated Old Vector and Grinex in August 2025, and the UK’s OFSI followed days later. The EU’s 19th sanctions package (effective 25 November 2025) made A7A5 the first cryptocurrency ever explicitly named in an EU transaction ban, and the 20th package (effective 24 May 2026) added a categorical ban on transactions with crypto-asset service providers established in Russia.

What does CertiK identify as the biggest exploit trend in 2026?
Bridge and interoperability protocols remain the highest-value attack surface, with 2026 bridge-related losses already exceeding US$328 million. Wallet compromise has also overtaken code vulnerabilities as the dominant exploit vector by value across the largest 2026 DeFi incidents — reflecting a shift toward targeting operational and custody security rather than on-chain logic.

The Skynet report’s defining argument is that the two threats it documents — opportunistic infrastructure attacks and deliberate state-sponsored sanctions evasion — are converging into a single security problem. Understanding either in isolation, as CertiK puts it, understates the overall risk. With A7A5’s African corridor expanding alongside Russia’s military deployments and Western enforcement struggling to reach jurisdictions where the network operates, the gap between regulatory architecture and actual settlement flow is the variable most likely to define the next 12 to 18 months of digital asset security. This article is informational and does not constitute investment, compliance or legal advice.