I Wasn't Looking for This. I Found It Anyway.
A week ago I had never heard of A7A5. What happened next is a demonstration of what experienced OSINT investigation actually looks like and why the people running billion-dollar sanctions evasion networks apparently did not invest in cyber security.
Let me be clear about what this article is and what it isn’t.
I am not an anti-corruption crusader. I don’t have a mission to expose bad actors. I run Vorex Intelligence Group, an OSINT investigation firm that serves M&A teams, private equity funds, and legal practitioners who need to know what they’re buying before they buy it. My job is due diligence, not activism.
A week ago, I had never heard of A7A5.
I stumbled onto it while running a client investigation that touched Tether’s reserve structure. One thread led to another, the way threads do when you’re doing this work methodically. Tether’s dominant stablecoin position led me to questions about how sanctioned entities access USDT liquidity. That led me to A7A5 a Russian ruble-backed stablecoin specifically engineered to solve that problem. And A7A5 led me somewhere I didn’t expect to go.
This article is not going to stop anyone. The people running this network are not going to read a Substack post and reconsider their life choices. What this article is and what this series is becoming is a demonstration. A demonstration of what a competent investigator can find using public sources, standard OSINT tools, no dark web access, no data brokers, no paid databases, and about a week of focused work.
A demonstration of why you need someone like Vorex Intelligence Group before you close a deal touching crypto infrastructure. And a demonstration of something that should genuinely alarm every security professional reading this: the people running a network that has processed over $100 billion in transactions apparently never hired anyone to protect their operational security. Their internal planning documents detailed PowerPoint presentations explaining exactly how they structure payments to avoid sanctions were sitting in a public repository, linked from news articles, available to anyone with a search engine and the patience to follow the link.
Think about that for a moment. You build a billion-dollar sanctions evasion network. You create detailed slide decks explaining the mechanism. And then you leave them where anyone can find them.
That is the story. Not the corruption corruption exists everywhere. The story is that basic operational security failures make sophisticated financial crime trivially documentable by an investigator with a laptop and a methodology.
How I Got Here: The Tether Thread
The connection between Tether and A7A5 is not alleged or speculative. It is structural and documented.
A7A5 is a ruble-pegged stablecoin. Russian businesses and individuals purchase A7A5 with rubles through Kyrgyzstan-based exchanges. Those A7A5 tokens are then swapped for USDT Tether’s dollar-pegged stablecoin on exchanges and over-the-counter desks. The conversion gives Russian actors access to global dollar liquidity while keeping their funds one step removed from direct Tether holdings, which U.S. authorities can compel Tether to freeze.
Coinbase’s own converter lists the A7A5/USDT trading pair. This is not an obscure dark web instrument. It is a documented trading pair on mainstream crypto infrastructure.
Elliptic, one of the leading blockchain analytics firms, documented $6.1 billion in direct A7A5/USDT trading volume. Total A7A5 transactions since launch in January 2025: over $100 billion. Peak daily volume: $1.5 billion. That is not a niche experiment that is operational scale.
The U.S. Treasury sanctioned the key entities in August 2025. The EU followed in October 2025 with what it described as its first-ever direct crypto asset sanctions. The UK sanctioned related entities in August 2025. Canada acted as well. Five jurisdictions, coordinated action, unprecedented legal tools deployed.
And yet as the documents I’m about to describe make clear the network kept operating.
What I Found in a Public Repository
Here is where this article becomes something different from standard sanctions coverage.
While researching A7A5 through public sources, I found a published analytical report from the Cyfluence Research Center a Berlin-based open-source intelligence and influence operations research organization — documenting what they describe as a “Cyfluence Counteroperation” targeting Ilan Shor’s network ahead of Moldova’s 2025 parliamentary elections.
Their October 2025 report explains what happened: on September 3, 2025, internal data from two Shor-affiliated companies A7 and Anykey LLC was exfiltrated and published to ProtonDrive, then disseminated via Telegram channels. The Cyfluence Research Center assessed the operation as a coordinated hack-and-leak designed to disrupt and delegitimize Shor’s political machinery before Moldova’s elections. Attribution remains undetermined the report notes it could have been regional hacktivist collectives or a state-affiliated actor executing a preemptive countermeasure against Russian election interference.
The Cyfluence Research Center’s report linked directly to the publicly accessible ProtonDrive repository containing the leaked files. That is the link I followed. That is where I found these documents.
I want to be precise about what this means for my sourcing. These documents were not leaked to me. I did not obtain them through any covert method. They were exfiltrated from A7’s systems by an unknown third party, published to a public cloud repository, reported on by a published research organization, and I accessed them through that published report’s public link. Every step in that chain is documented and verifiable.
Before I describe what these documents contain, let me state my methodology clearly. All Vorex Intelligence Group investigations operate under our published Research Ethics and Methodology Policy passive OSINT only, publicly available sources, no unauthorized access, no engagement with any party under investigation. Everything I publish here I can defend.
The investigation is ongoing. I do not publish findings I cannot defend. Where something is still being verified, I will say so explicitly.
Document 1: The Infrastructure Presentation
The first document is a PowerPoint presentation describing A7’s financial infrastructure. It describes bills of exchange векселя issued to bearer for international payments. It names their licensed Kyrgyz broker, KIFIKO, including its full license numbers, its Global Intermediary Identification Number (GIIN: 7CLWIM.99999.SL.417), and its Legal Entity Identifier (LEI: 254900YXV5VLX25QHX10). Both identifiers are verifiable in international financial registries.
It identifies two crypto exchanges used for A7A5 trading: the Meer exchange (subsequently sanctioned) and Kyrgyzstan’s state CNE exchange.
Document 2: The Gazprom Payment Scheme
The second document is the most operationally significant. It is a detailed payment flow diagram titled “Payment Calculation Scheme for Pipeline Natural Gas Deliveries to the Republic of Turkey in Rubles.”
The diagram names the following parties in the payment chain: Gazprom Export, Turkish gas buyers, A7-Agent, a Turkish intermediary called ZMB Gaz Depo A.S., Akkuyu Nukleer A.S. — which is Rosatom’s Turkish nuclear subsidiary and Emlak Bank in Turkey as the settlement institution, with AED (UAE dirhams) as the settlement currency.
This is a documented scheme for routing Russian state energy revenues specifically Gazprom pipeline gas payments from Turkish buyers through A7’s bill of exchange infrastructure, avoiding the SWIFT system, with Russia’s state nuclear corporation as a named participant in the payment flow.
I want to be precise: this document describes a planned or operational payment mechanism. I am not asserting that every transaction in this scheme was completed as described. What I am asserting is that A7’s own internal documents describe this mechanism, name these parties, and detail these flows.
Document 3: The Client Transaction Ledger
The third document is a transaction ledger for A7-Agent covering September 2024 through April 2025 the period before U.S. sanctions were imposed. It lists hundreds of Russian company clients with monthly ruble credit amounts.
Total transactions in this ledger: approximately 172 billion rubles, equivalent to roughly $2.1 billion USD at prevailing exchange rates.
One entry near the bottom of the ledger is particularly notable. Listed as an individual counterparty, with a Russian tax identification number, is: Шор Илан Миронович — Ilan Shor. The same Ilan Shor who owns 51% of A7 LLC, who was convicted of stealing $1 billion from Moldovan banks, who is currently a fugitive in Russia, and who is sanctioned by the U.S., UK, EU, and Canada. He appears not just as the owner of the network — but as a named client transacting through it.
Document 4: The Internal Payment Scheme (July 1, 2025)
The fourth document is the most operationally revealing. It is dated July 1, 2025 after U.S. and UK sanctions had already been imposed on A7’s entities. It is titled “Internal Payment Scheme of Group A7.”
This document maps the complete internal money architecture of the A7 Group as it was operating post-sanctions. The network at that point included: multiple Kyrgyz trading entities (Ala-Too Trade Group, Kyrgyz Front Trading, Alay Nexus Trade, Bishkek Global, Naryn Valley, Kyrgyz Silk Exchange); A71 and A7-Agent as primary conduits; Old Vector handling “market making”; KIFIKO receiving crypto payments; a UAE branch called Galadriël handling external clients in dollars and Chinese yuan; and explicit references to “markets via crypto” and “payment via crypto” as exit channels.
Also listed as a cash collection point: Sadovod. Russia’s largest open-air market in Moscow, long documented as a cash-intensive environment used for informal currency exchange.
The network did not shut down after sanctions. It reorganized and kept running.
The Bill of Exchange Screenshot
The fifth piece of evidence is a screenshot from what appears to be A7’s internal accounting system a “Bill of Exchange Workstation” showing live transactions from July 2025. The screen displays individual bills of exchange with serial numbers, issuance dates, counterparty names, and ruble amounts.
The Turkish entity Globaluei Dysh Tidjaret Shirketi which appears in both the payment scheme diagram and the internal architecture document — is shown receiving bills of exchange worth 1.5 billion rubles, 2 billion rubles, 4.1 billion rubles, and 1.5 billion rubles in July 2025 alone. Other entities shown include Talas Global Merchants, Alay Nexus Trade, and Kyrgyz Front Trading Ko.
The visible transactions in this single screenshot total approximately 14.9 billion rubles roughly $185 million USD processed in July 2025, after sanctions.
What This Means — And What I Still Don’t Know
Let me be direct about the limits of what I’ve established.
I have documented the existence and contents of these internal A7 documents. I have verified their consistency with publicly reported information about A7’s structure and operations. I have not independently verified every transaction claim in the ledgers, and I have not confirmed the current operational status of every entity named.
The Turkish entity Globaluei Dysh Tidjaret Shirketi requires further investigation. It appears in multiple documents as a significant counterparty, but I have not yet located its Turkish corporate registration details or confirmed its relationship to Emlak Bank. That work is ongoing.
The Cantor Fitzgerald custody claim that Cantor custodies A7A5 as well as Tether reserves comes from a single published source and has not been independently verified. I will not publish that finding until I can confirm it through a second source or primary documentation. That standard is non-negotiable.
What I can say with confidence: the A7 network processed billions in transactions through Kyrgyz, Turkish, and UAE intermediaries using bills of exchange and crypto rails, with Russian state energy and nuclear entities as documented participants, operated by a sanctioned fugitive oligarch with documented connections to the Russian FSB and the Kremlin’s press secretary’s social circle, and left its operational planning documents in a publicly accessible repository.
The Real Story Here
I want to return to where I started.
This investigation is not going to stop anyone. The people running this network have resources, legal teams, and geopolitical protection that a Substack series cannot touch.
The real story is operational security. Or the complete absence of it.
Somewhere in this network, someone created a PowerPoint presentation detailing how the A7 Group routes payments to avoid Western sanctions naming the Turkish intermediaries, the Kyrgyz shell companies, the UAE channels, the crypto exit ramps. And that presentation ended up in a public repository where I found it by following a link from a news article.
That is a catastrophic operational security failure. And it is not unusual. In my experience working M&A due diligence and corporate investigations, the most damaging findings rarely come from sophisticated hacking or dark web sources. They come from documents that organizations failed to protect files left in public repositories, presentations uploaded to shared drives, corporate registrations that reveal ownership structures their principals believed were hidden.
The lesson for my clients is straightforward: if you are evaluating an acquisition target with crypto exposure, stablecoin counterparty relationships, or operations in high-risk jurisdictions, the question is not whether they have something to hide. The question is whether they were careless enough to leave it where I can find it.
In this case, they were.
What Comes Next
This investigation is ongoing. I am working to verify the Turkish corporate registration of Globaluei Dysh Tidjaret Shirketi, confirm or deny the Cantor Fitzgerald custody claim, and trace the bill of exchange payment flows through public financial registry records.
I publish findings as they develop, with explicit confidence levels. Verified facts are presented as facts. Unverified leads are presented as open questions. I do not speculate past what the documents support.
The next installment will focus on the political dimension Ilan Shor’s documented connections to Russian state structures, his election interference operations in Moldova, and what all of this means for the regulatory environment surrounding the stablecoin market his network depends on.
All investigation work follows Vorex Intelligence Group’s published Research Ethics and Methodology Policy. Passive OSINT only. Publicly available sources only. No engagement with any party under investigation.
If you are conducting M&A due diligence on any company with exposure to stablecoin infrastructure, Tether counterparty relationships, or operations touching the entities named in this series, Vorex Intelligence Group is available for consultation.