Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after a $13.7 million hack—one it says was carried out by “foreign intelligence agencies,” and yes, it specifically frames the threat as Western intelligence.
The stolen funds came from cryptocurrency wallets belonging to Russian users.
Grinex’s core setup lets Russian businesses and individuals exchange crypto-ruble, which is part of why the platform’s shutdown is being read as more than just a routine incident.
The whole thing has a familiar feel in crypto security: a fast breach, a fast trail of transfers, and then a lot of arguing over who did what.
Exchange’s attribution: “hostile states” tech and resources
In a statement, Grinex claims the type of attack and the digital footprint point to a threat actor tied to foreign intelligence agencies—described as having “an unprecedented level of resources and technology, accessible only to entities of hostile states.” Grinex also says the operation was coordinated with the aim of directly harming Russia’s financial sovereignty.
The problem, at least based on what’s been publicly provided so far, is that neither Grinex’s announcement nor later blockchain write-ups offer technical proof that pins the intrusion on a specific perpetrator.
No supporting indicators were included to back up the attribution to Western intelligence services.
It’s one of those statements that lands emotionally—“intelligence agencies did it”—but doesn’t really close the loop in the way investigators usually want.
Grinex, which launched early last year, is also described as having Russian links and being believed to be a rebrand of Garantex.
That predecessor’s admin was arrested and domains were seized after allegations involving processing more than $100 million in illicit transactions and enabling money laundering.
Stolen crypto trail points to TRON, Ethereum, and a second Kyrgyz exchange
Misryoum newsroom reported that in August 2025, the U.S.
Department of the Treasury announced sanctions against Grinex, saying it was a continuation of Garantex activity—accepting the same actors’ funds and playing the same role as an illegal operations enabler.
Despite that, Grinex kept running, giving Russia a way to maintain some financial sovereignty and bypass sanctions that hit banking and transactions.
At the center of that workaround was a Russian ruble-backed stablecoin named A7A5, which was directly adopted from Garantex.
Misryoum analysis indicates the hack itself happened on Wednesday at 12:00 UTC.
Blockchain analysis firm Elliptic reports the stolen funds were sent to TRON and Ethereum addresses, and then converted into TRX and ETH through the SunSwap decentralized trading protocol.
TRM Labs identified 70 attacker addresses and also found a second hack at TokenSpot, another Kyrgyzstan-based exchange with ties to Grinex.
TRM Labs links TokenSpot to Houthi-linked laundering operations, weapons procurement, and the InfoLider influence operation in Moldova, all aligning with Russian strategic goals.
It’s a dense chain of claims, and again, it’s not presented as a clean technical attribution to a single actor—more like pattern-matching across ecosystems.
In practice, these incidents can feel surreal in the moment: the same morning your phone buzzes with a security alert, and you still catch yourself smelling warm coffee because the day is already started—then you realize the “breach” part is real and moving fast.
BleepingComputer has contacted Grinex about its attribution of the attack, but we have not received a response by publishing time.
Either way, Grinex’s shutdown raises the question of what happens next for users who were relying on the crypto-ruble exchange route—and how quickly the broader network of “rebrands” and linked services will be disrupted.
And if Grinex can’t show hard evidence behind its intelligence-agency claims, the public will be stuck with the same uneasy mix: big assertions, visible transaction trails, and missing names.
SolMate: A pocket solar charger that powers while you move
Trial by Fire: Crisis Engineering argues chaos can be a lever
Most enterprises can’t stop stage-three AI agent threats: Misryoum