Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies.
The funds were stolen from cryptocurrency wallets belonging to Russian users, as the platform enables crypto-ruble exchange operations between Russian businesses and individuals.
Launched early last year, Grinex has Russian links and is believed to be a rebrand of Garantex, a Russian crypto exchange whose admin was arrested and whose domains were seized over allegations of processing more than $100 million in illicit transactions and enabling money laundering.
In August 2025, the U.S. Department of the Treasury announced sanctions against Grinex, based on evidence that the exchange service was a continuation of Garantex activity, accepting the same actors, their funds, and facilitating an identical role as an illegal operations enabler.
Grinex continued to operate, providing Russia with some level of financial sovereignty and ability to bypass international sanctions that impacted banking and transactions, mainly through a Russian ruble-backed stablecoin named A7A5, which was directly adopted from Garantex.
The exchange says that the type of attack and the digital footprint indicate a threat actor associated with “foreign intelligence agencies” that have “an unprecedented level of resources and technology, accessible only to entities of hostile states.”
“According to preliminary data, the attack was coordinated with the aim of directly harming Russia’s financial sovereignty,” Grinex states.
Blockchain analysis firm Elliptic reports that the theft occurred on Wednesday at 12:00 UTC, and the stolen funds were sent to TRON and Ethereum addresses, then converted into TRX and ETH through the SunSwap decentralized trading protocol.
TRM Labs identified 70 attacker addresses and also discovered a second hack at TokenSpot, another exchange based in Kyrgyzstan with ties to Grinex.
TRM Labs links TokenSpot to Houthi-linked laundering operations, weapons procurement, and the InfoLider influence operation in Moldova, all aligning with Russian strategic goals.
Neither Grinex’s announcement nor Elliptic’s or TRM Labs’ reports provides any evidence pointing to a specific perpetrator, and no technical evidence or indicators were provided to support the exchange’s attribution to Western intelligence services.
BleepingComputer has contacted Grinex about attribution of the attack, but we have not received a response by publishing time.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
