Grinex Suspends Operations After Major Cyber Attack
Grinex, a cryptocurrency exchange based in Kyrgyzstan, has announced the suspension of its operations following a significant cyber attack that it attributes to the involvement of Western intelligence agencies. This attack has been described as large-scale and sophisticated, resulting in the theft of approximately $13.74 million worth of user funds, which translates to over 1 billion rubles. The alarming details were released in a statement from the company, where they outlined the gravity of the breach and its implications.
In their statement, Grinex claimed that the nature of the cyber attack demonstrated advanced capabilities typically associated with state-operated intelligence agencies. The company suggested that the incident was not merely a random act of cyber crime but rather a calculated move aimed at undermining the financial sovereignty of Russia. The evidence, they stated, points to a meticulously organized effort with resources that are uncommon for typical decentralized hackers. "Digital forensic evidence and the nature of the attack indicate an unprecedented level of resources and technological sophistication," the statement read.
Grinex officials further elaborated that their exchange has been under persistent cyber threats since it began operations. The most recent attack signifies a severe escalation in these efforts, aiming explicitly at destabilizing the financial landscape in Russia. This assertion has raised questions about the ongoing cyber battles playing out in the global financial system, particularly as governments and agencies seek to control and manipulate cryptocurrency exchanges.
The exchange is believed to be a rebranding of Garantex, which was sanctioned by the U.S. Treasury Department in April 2022. Garantex faced scrutiny for its involvement in laundering funds tied to various criminal activities, including ransomware and transactions on the dark web. The most recent sanctions were renewed in August 2025 due to evidence that the exchange processed illicit transactions exceeding $100 million. Reports have indicated that Garantex moved its clientele to Grinex as a means of circumventing the imposed sanctions while continuing to operate using a ruble-backed stablecoin known as A7A5.
In a recently published report by blockchain intelligence firms including Elliptic and TRM Labs, Garantex’s migration to Grinex was discussed in detail. The findings illustrated how entities linked to Russia continue to conduct operations that facilitate evasion of international sanctions, raising major concerns for regulators worldwide. Additionally, a Georgia-incorporated exchange named Rapira, which has established connections with an office in Moscow, was mentioned for conducting direct crypto transactions with Grinex amounting to approximately $72 million.
The cyber attack that led to Grinex’s suspension reportedly transpired on April 15, 2026, at around noon UTC. Blockchain analytics firm Elliptic detailed how stolen funds were relocated to various accounts on the TRON and Ethereum blockchains post-breach. Following the theft, the attackers converted the stolen USD Tether (USDT) into other assets to mitigate any risk of the funds being frozen by Tether.
TRM Labs highlighted around 70 distinct digital addresses linked with the incident and noted that TokenSpot, another cryptocurrency exchange based in Kyrgyzstan, was affected concurrently. On the day of Grinex’s cyber breach, TokenSpot had announced temporary unavailability for technical maintenance, later confirming the resumption of normal operations. Interestingly, the estimated loss sustained by TokenSpot amounted to less than $5,000, and the funds were verifiably redirected through TokenSpot addresses, eventually converging on wallets associated with Grinex.
In its assessment of the incident, Chainalysis pointed out that the swift conversion of stablecoin funds into non-freezable tokens could signify a premeditated strategy employed by malicious actors. This maneuver, often characterized as “frantic swapping,” is a technique used by cybercriminals to launder illicit gains before being detected.
Given the sanctions on Grinex and its tenuous operational landscape, the incident raises suspicions of whether the hack could potentially be a "false flag" attack. This speculation considers the possibility of an orchestrated effort by insiders with ties to Russia, aimed at portraying external vulnerability while presenting an internal narrative of victimization. As the discourse surrounding the cybersecurity landscape of cryptocurrency exchanges continues to evolve, the implications of Grinex’s incident resonate far beyond its immediate aftermath. The disruption significantly affects the ongoing combat against sanctions evasion, illuminating the intricate and often perilous intersection between digital finance and geopolitics.