Grinex Suspends Operations Following Multi-Million Dollar Breach
Kyrgyzstan-based cryptocurrency exchange Grinex has halted all operations after losing approximately $13.7 million in a cyberattack. The platform, which facilitates crypto-to-ruble exchange services between Russian businesses and individuals, claims the breach was orchestrated by agencies tied to hostile foreign governments — specifically pointing the finger at Western intelligence services.
The stolen funds were taken directly from wallets belonging to Russian users, making the incident particularly sensitive given Grinex's role as a financial conduit for Russian entities operating under international sanctions.
Grinex's Alleged Ties to Sanctioned Exchange Garantex
Grinex launched in early 2025 and is widely believed to be a rebrand of Garantex, a Russian cryptocurrency exchange that was the subject of major enforcement actions. Garantex's administrative personnel were arrested and its domains were seized following allegations that the platform processed over $100 million in illicit transactions and served as a vehicle for money laundering.
In August 2025, the U.S. Department of the Treasury formally announced sanctions against Grinex, citing evidence that it was operating as a direct continuation of Garantex. According to Treasury, Grinex accepted the same actors, handled their funds, and fulfilled an identical role as an enabler of illegal financial operations.
Despite those sanctions, Grinex continued functioning, offering Russia a degree of financial independence and a mechanism to sidestep international restrictions. Central to this operation was a Russian ruble-backed stablecoin called A7A5, which was carried over directly from Garantex and used to facilitate cross-border financial activity.
The Exchange's Attribution Claims
In the wake of the hack, Grinex issued a public statement asserting that both the nature of the attack and the digital trail left behind point toward a threat actor connected to foreign intelligence agencies. The exchange described the attack as displaying:
"An unprecedented level of resources and technology, accessible only to entities of hostile states."
Grinex went further, stating: "According to preliminary data, the attack was coordinated with the aim of directly harming Russia's financial sovereignty."
However, neither Grinex's announcement nor the independent reports published by blockchain analysis firms provided any concrete technical evidence or indicators of compromise to support this attribution.
Blockchain Firms Track the Stolen Funds
Blockchain analytics company Elliptic reported that the theft took place on Wednesday at 12:00 UTC. The stolen assets were routed to addresses on the TRON and Ethereum networks, then converted into TRX and ETH through the SunSwap decentralized trading protocol — a common laundering method designed to obscure fund origins and complicate tracing efforts.
Separately, TRM Labs identified 70 attacker addresses linked to the breach. The firm also uncovered a second incident: a hack targeting TokenSpot, another Kyrgyzstan-based exchange with documented ties to Grinex.
TokenSpot's Controversial Connections
TRM Labs' investigation into TokenSpot revealed a troubling web of associations. The exchange has been linked to:
- Money laundering operations connected to Houthi-affiliated actors
- Weapons procurement activities
- The InfoLider influence operation in Moldova
Each of these connections aligns with broader Russian strategic interests, adding another layer of complexity to the narrative surrounding both exchanges and the hack itself.
No Evidence Points to a Confirmed Perpetrator
Despite the inflammatory accusations leveled by Grinex, investigators have not identified a confirmed attacker. Neither Elliptic nor TRM Labs has provided indicators attributing the attack to any government, intelligence service, or known threat group. The claims made by Grinex remain unsubstantiated by any published technical analysis.
BleepingComputer reached out to Grinex seeking comment on the attribution claims, but the exchange had not responded by the time of publication.
The incident underscores the murky intersection of sanctioned financial infrastructure, geopolitical tensions, and cryptocurrency security — a space where attribution is rarely straightforward and claims are often driven by political motive as much as technical evidence.
Source: BleepingComputer