Grinex Points Finger at “Western Intelligence” for $13.7M Crypto Hack

Grinex Exchange Blames Western Intelligence for $13.7 Million Crypto Hack

Kyrgyzstan-based cryptocurrency exchange Grinex has halted its operations following a significant hack totaling $13.7 million, which the platform attributes to Western intelligence agencies.

The stolen funds originated from cryptocurrency wallets belonging to Russian users, as Grinex facilitates crypto-ruble exchange transactions for Russian businesses and individuals.

Established in early 2024, Grinex has strong ties to Russia and is believed to be a rebranded version of Garantex, a Russian crypto exchange. Garantex’s administrator was arrested, and its domains were seized due to allegations of processing over $100 million in illicit transactions and facilitating money laundering.

In August 2025, the U.S. Department of the Treasury imposed sanctions on Grinex after evidence suggested that the exchange was a continuation of Garantex’s illegal activities, involving the same actors, funds, and enabling similar unlawful operations.

Despite the sanctions, Grinex continued operations, offering Russia a degree of financial independence and the ability to circumvent international sanctions affecting banking and transactions. The exchange primarily utilized a Russian ruble-backed stablecoin called A7A5, inherited from Garantex.

Grinex alleges that the hack, characterized by its nature and digital footprint, was orchestrated by a threat actor associated with “foreign intelligence agencies” possessing advanced resources and technology typically limited to hostile state entities.

The exchange suggests that the attack aimed to directly impact Russia’s financial sovereignty.

According to blockchain analysis firm Elliptic, the theft occurred on Wednesday at 12:00 UTC, with the stolen funds being transferred to TRON and Ethereum addresses and subsequently converted into TRX and ETH through the SunSwap decentralized trading protocol.

TRM Labs identified 70 attacker addresses and uncovered a separate hack targeting TokenSpot, another Kyrgyzstan-based exchange linked to Grinex. TRM Labs connected TokenSpot to Houthi-related money laundering activities, weapons procurement, and an influence operation in Moldova known as InfoLider, all in alignment with Russian strategic objectives.

Neither Grinex’s statement nor reports from Elliptic or TRM Labs provided concrete evidence pointing to a specific perpetrator. No technical evidence or indicators were presented to support the exchange’s attribution of the hack to Western intelligence services.

BleepingComputer reached out to Grinex for further clarification on the attack attribution but had not received a response at the time of publication.