Grinex, a Kyrgyzstan-based cryptocurrency approved by the UK and US last year, said it was suspending operations after accusing Western intelligence agencies of a $13.74 million hack.
The exchange was the victim of what it described as a massive cyber attack that had signs of intelligence agency involvement. The attack resulted in the theft of more than 1 billion rubles in user funds.
“Digital forensics evidence and the nature of the attack point to an unprecedented level of resources and technical sophistication – capabilities that are only available in hostile state institutions,” the company said in a statement posted on its website. “Preliminary findings suggest that the attack was carried out with the specific intention of harming Russia’s financial sovereignty.”
The company’s spokesperson further stated that the exchange’s infrastructure has been under attack since its inception, and that the latest development represents a new level of escalation aimed at destabilizing the domestic financial sector.
Grinex is believed to be a rebrand of Garantex, a cryptocurrency exchange that was sanctioned by the US Treasury Department in April 2022 for fraudulent funds linked to ransomware and darknet markets such as Conti and Hydra. The Ministry of Finance renewed the sanctions against Garantex in August 2025 for processing more than $ 100 million in illegal activities and allowing money laundering.
According to the Ministry of Finance and information shared by blockchain intelligence companies Elliptic and TRM Labs, Garantex is said to have moved its customer base to Greenex in response to the sanctions and remained active using a ruble-based stablecoin called A7A5.
In a report published in early February, Elliptic also revealed that Rapira, a Georgia-incorporated exchange with an office in Moscow, engaged in direct cryptoasset sales to and from Grinex totaling more than $72 million, highlighting how the exchange’s relationship with Russia continues to enable sanctions evasion.
The British blockchain analytics company said that the Grinex asset theft occurred on April 15, 2026, around 12:00 UTC, and that the stolen funds were then transferred to additional accounts on the TRON or Ethereum blockchains. “This USDT was then converted into another asset, TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether,” it added.
TRM Labs has identified around 70 addresses linked to the incident, noting that TokenSpot, a Kyrgyzstan-based exchange that may be operating as a front for Grinex, was also affected.
On the same day Grinex suffered the breach, TokenSpot posted on its Telegram channel that the platform would be temporarily unavailable due to technical maintenance. On April 16, it announced that full operations had resumed. The attacker is estimated to have stolen less than $5,000 from TokenSpot. Funds were transferred through two TokenSpot addresses to the same aggregation address used by Greenex-linked wallets.
Chainalysis, in its breakdown of the incident, said that the stablecoin funds were quickly exchanged for unfrozen tokens and that this “forced exchange” from stablecoins to decentralized tokens was a tactic taken by bad actors to dispose of their illegal funds before the assets were frozen.
“Given the highly decentralized nature of the exchange, its limited ecosystem, and the on-chain use of obfuscation techniques chosen by Garantex, it is worth considering that this incident could be a false flag attack,” he said. “Whether this event represents a legitimate exploit by cybercriminals or a planned false flag operation by Russian-connected insiders, the Grinex disruption is deeply damaging to the infrastructure that supports Russian sanctions evasion.”
