TRM Labs: Cryptomus Secretly Relaunched as Heleket to Keep Laundering Crypto

TRM Labs links Cryptomus to Heleket, a shadow platform allegedly built to continue crypto laundering after Canada’s record $177M penalty.

A major blockchain intelligence firm says a Russia-linked crypto payment processor pulled off a quiet relaunch.

TRM Labs published a detailed report linking Cryptomus to a newer platform called Heleket. According to TRM, the two share infrastructure, personnel, and illicit clientele.

The firm assessed with high confidence that Cryptomus operators likely built Heleket to keep processing transactions without strict identity checks. The findings paint a troubling picture of how sanctioned-linked platforms adapt to avoid accountability.

Cryptomus Faces Record Canadian Penalty Over Money Laundering

Canada’s financial intelligence unit, FINTRAC, handed Cryptomus a record-breaking penalty of nearly CAD 177 million in October 2025.

Related reading:

Crypto News: Canada Fines Cryptomus Record $126M for AML Violations

The fine cited multiple violations of money laundering and terrorist financing laws. Before the penalty landed, Cryptomus had already introduced mandatory identity verification in February 2025.

TRM noted that move triggered immediate concern among users and led to a sharp volume drop.

On-chain data showed transaction volumes fell from USD 153 million in January 2025 to USD 86 million by March.

That dip, TRM argues, opened the door for Heleket. The new platform emerged right as Cryptomus tightened its controls. TRM says that timing was no coincidence.

Heleket Shows Illicit Exposure Nearly Five Times the Industry Average

TRM’s analysis found Heleket’s illicit exposure sits at almost five times the average seen across payment service providers in TRM’s dataset.

Around 60% of its illicit inflows trace back to Garantex, a now-closed Russian exchange that faced U.S. sanctions. Heleket claimed in updated policy documents to require identity documentation, but TRM confirmed that transactions were still possible without it.

Between January and May 2025, Heleket’s share of combined illicit flows between both platforms climbed to over 80%.

New TRM analysis: Russia-linked payment processor Cryptomus likely launched a parallel service — Heleket — to keep laundering crypto after FINTRAC’s record CAD 177M penalty.

Heleket’s illicit exposure is nearly 5x the payment service provider average in TRM data, with 60% of… pic.twitter.com/JHI85pydaR

— TRM Labs (@trmlabs) April 20, 2026

TRM also tracked numerous cybercrime actors moving directly from Cryptomus to Heleket. That group included child sexual abuse material vendors and cybercrime service operators. The migration lined up closely with Cryptomus’s introduction of stricter identity controls.

Heleket claims to operate primarily within the European Union. Despite that claim, TRM’s report places it firmly within a broader sanctions evasion network.

Garantex provided Heleket’s first large liquidity inflows in January 2025, which TRM said is atypical for a legitimately regulated service.

Shared Infrastructure and Branding Tie Both Platforms Together

Off-chain evidence adds weight to TRM’s on-chain findings.

Both Cryptomus and Heleket use the same privacy-focused domain registrar. Their websites share identical design elements and rare phrasing not seen elsewhere in the industry.

One example is the phrase “set discount to payment method,” which TRM said appears only on these two platforms.

Both services charge a matching 0.4% processing fee and use an unusual onboarding method called “project moderation,” requiring users to describe their intended business activities. That process mirrors no standard KYB practice in regulated finance.

TRM also found evidence of shared personnel, including one administrator likely based in the Baltics.

A post from a technology forum in March 2025 noted that users could log into Heleket using their Cryptomus credentials.

A Cryptomus administrator on Telegram acknowledged that the two entities had “entered into certain agreements,” while insisting they were distinct.

TRM’s report identifies this pattern as consistent with what its 2026 Crypto Crime Report called the “year of the Russian rebrand,” where enforcement action prompts parallel platform launches rather than genuine compliance reform.

Xeltox Enterprises Ltd., the company behind Cryptomus, is currently appealing the FINTRAC fine.