Grinex Exchange Suspends Operations Following Major Hack
The cryptocurrency exchange Grinex, based in Kyrgyzstan and previously sanctioned by the U.K. and U.S., has announced a halt in its operations. This decision follows a significant cyber attack resulting in the theft of around $13.74 million. The exchange has attributed this breach to Western intelligence agencies, suggesting a sophisticated level of involvement in the attack.
According to Grinex, the cyber assault was marked by advanced technological capabilities typically associated with state-level intelligence operations. The attack led to the loss of over 1 billion rubles in user funds, as stated in an official release. The exchange speculated that the motive was to damage Russia’s financial sovereignty.
Allegations of Intelligence Involvement
Grinex’s spokesperson revealed that the exchange had been targeted since its inception, with the recent breach representing a new escalation in cyber threats aimed at destabilizing the local financial landscape. The company, believed to be a rebranded version of Garantex, has faced sanctions due to links with illicit activities, including ransomware and darknet market operations.
The U.S. Treasury had previously sanctioned Garantex in 2022 and renewed these sanctions in 2025. Garantex allegedly facilitated over $100 million in illicit transactions. In response to sanctions, it reportedly transitioned its customer base to Grinex, utilizing a ruble-backed stablecoin called A7A5 to remain operational.
Blockchain Analysis and Further Developments
Reports from blockchain intelligence firms Elliptic and TRM Labs indicate that Grinex has been involved in significant financial activities with Rapira, a Georgian exchange, totaling over $72 million. The April 15 breach saw stolen assets moved to TRON and Ethereum blockchains, with the funds converted to assets like TRX or ETH to circumvent freezing by Tether.
TRM Labs identified approximately 70 addresses linked to the incident. It noted that TokenSpot, another Kyrgyzstan-based exchange possibly tied to Grinex, was also affected. TokenSpot temporarily suspended its services due to ‘technical maintenance’ on the day of the breach, resuming operations shortly after.
Implications and Future Outlook
The incident has prompted speculation about whether the hack was a genuine criminal exploit or a false flag operation orchestrated by Russia-linked insiders. Chainalysis highlighted the rapid conversion of stablecoins to evade asset freezing, a common laundering tactic.
The disruption of Grinex, a key player in Russian sanctions evasion infrastructure, raises questions about the future of such exchanges under heavy sanctions. The event underscores the ongoing challenges in regulating and securing the cryptocurrency landscape.
