Grinex, a Kyrgyz-registered cryptocurrency exchange sanctioned by the United States, said it is halting operations after a $13 million heist carried out by hackers it attributes to Western intelligence services. Researchers at TRM Labs have since confirmed the theft and later pegged the value at roughly $15 million after tracing about 70 drained addresses. Officials have not disclosed how the attackers bypassed Grinex’s defenses. Grinex says the company has faced persistent attack attempts since it began operating 16 months ago, with the most recent assaults targeting Russian users.
Grinex described the attack as evidence that “resources and technology” are available only to “unfriendly states,” saying preliminary data suggests the operation aimed to damage Russia’s financial sovereignty. The firm added that it has handed all available information to law enforcement and filed an application with the infrastructure location to initiate a criminal case.
TRM Labs also indicated that TokenSpot, another Kyrgyzstan-based exchange, was breached. They noted that two TokenSpot addresses moved funds to the same consolidation address used by Grinex-linked wallets, and both exchanges became inoperable on the same day, implying the same attacker was involved. TRM notes TokenSpot was a front for Grinex, which the U.S. Treasury sanctioned last year as a rebrand of Garantex. The Treasury accused Garantex of facilitating ransomware and other illicit activities since 2019.
Elliptic, another blockchain-analytics firm, said Grinex maintains strong ties to Russia and has moved substantial ruble-to-crypto activity. Elliptic suggested Grinex may be closely related to Ganantex and that much of Ganantex’s liquidity migrated to Grinex after sanctions. The report states roughly $15 million in USDT were drained, with funds moved across TRON and Ethereum networks and converted to other tokens to reduce the risk of freezing by Tether.
While officials have not publicly confirmed Western involvement, analysts say the pattern aligns with a broader sanction-evasion ecosystem, including entities closely linked by ownership and liquidity. The incident underscores how sanction-listed exchanges can be part of complex networks and how illicit assets may be laundered after a theft.
