Kyrgyzstan-incorporated cryptocurrency exchange Grinex, sanctioned by the UK and US last year, said it was suspending operations after blaming Western intelligence agencies for a $13.74 million hack.
The exchange said it was the victim of a large-scale cyber attack, which suggested involvement of a foreign intelligence agency. The attack resulted in the theft of more than 1 billion rubles in user funds.
“The digital forensic evidence and nature of the attack point to an unprecedented level of resources and technological sophistication – capabilities typically available exclusively to agencies of hostile states,” the company said in a statement posted on its website. “Preliminary findings suggest that the attack was carried out with the specific aim of directly harming Russia’s financial sovereignty.”
A spokesperson for the company said that the exchange’s infrastructure had been under attack since the beginning of its operations, and the latest development represents a new level of escalation aimed at destabilizing the domestic financial sector.
Grinex is believed to be a rebrand of Garantex, a cryptocurrency exchange that was sanctioned by the US Treasury Department in April 2022 for ransomware and money laundering linked to darknet markets like Conti and Hydra. Treasury renewed sanctions against Garantex in August 2025 for processing and enabling money laundering of more than $100 million in illicit transactions.
According to the treasury and details shared by blockchain intelligence firms Elliptic and TRM Labs, Guarantex is said to have shifted its customer base to Grinex in response to the sanctions and has remained operational using a ruble-backed stablecoin called A7A5.
In a report published earlier this February, Elliptic also revealed that Rapira, a Georgia-incorporated exchange with an office in Moscow, engaged in more than $72 million of direct cryptoasset transactions from Grinex, highlighting how exchanges with ties to Russia have remained able to avoid sanctions.
The British blockchain analytics firm said the theft of Grinex assets occurred at approximately 12:00 UTC on April 15, 2026, and the stolen funds were subsequently moved to forward accounts on the TRON or Ethereum blockchain. “This USDT was then converted into another asset, TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether,” it says.
TRM Labs has identified approximately 70 addresses linked to the incident, adding that Kyrgyzstan-based exchange TokenSpot, which likely serves as a front for Grinex, was simultaneously affected.
On the same day that Grinex suffered the breach, TokenSpot posted on its Telegram channel that the platform would be temporarily unavailable due to technical maintenance. On 16 April, it announced that full operations had resumed. The attacker is estimated to have stolen less than $5,000 from TokenSpot. The funds were sent via two TokenSpot addresses to the same consolidation address used by the Grinex-linked wallet.
Chainalysis said in its analysis of the incident that stablecoin funds were immediately swapped for a non-freezable token and that this “frantic swapping” of stablecoins for more decentralized tokens is a tactic adopted by bad actors to launder their ill-gotten gains before freezing the assets.
It added, “Given the exchange’s heavily sanctioned status, its restricted ecosystem, and Garantex’s on-chain use of preferred obfuscation techniques, it is worth considering whether this incident may have been a false flag attack.” “Whether this incident represents a legitimate exploit by cybercriminals or a well-planned false flag operation by Russia-linked insiders, the disruption of Greenex represents a significant blow to the infrastructure supporting Russian sanctions evasion.”
![[Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data](data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%20768%200'%3E%3C/svg%3E "[Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data")