**Grinex**, a cryptocurrency exchange based in Kyrgyzstan, has halted its operations following a significant hack resulting in the loss of $13.7 million. The exchange alleges that Western intelligence agencies are behind the attack. ### Background and Sanctions The stolen funds reportedly belonged to Russian users, as the platform enabled crypto-ruble exchange operations between Russian businesses and individuals. Launched early last year, **Grinex** has Russian links and is believed to be a rebrand of **Garantex**, a Russian crypto exchange previously sanctioned for processing over $100 million in illicit transactions and enabling money laundering. In August 2025, the U.S. Department of the Treasury announced sanctions against **Grinex**, citing evidence that the exchange was a continuation of **Garantex** activity, accepting the same actors and funds, and facilitating identical illegal operations. Despite these sanctions, **Grinex** continued to operate, providing Russia with a degree of financial sovereignty and the ability to bypass international sanctions, primarily through a Russian ruble-backed stablecoin named A7A5, adopted directly from **Garantex**. ### Attribution and Investigation **Grinex** claims the attack's nature and digital footprint point to a threat actor associated with "foreign intelligence agencies" possessing "an unprecedented level of resources and technology, accessible only to entities of hostile states." The exchange stated, "According to preliminary data, the attack was coordinated with the aim of directly harming Russia's financial sovereignty." Blockchain analysis firm **Elliptic** reported the theft occurred on Wednesday at 12:00 UTC. The stolen funds were sent to TRON and Ethereum addresses, subsequently converted into TRX and ETH via the SunSwap decentralized trading protocol. **TRM Labs** identified 70 attacker addresses and also uncovered a second hack at **TokenSpot**, another exchange based in Kyrgyzstan with ties to **Grinex**. **TRM Labs** links **TokenSpot** to Houthi-linked laundering operations, weapons procurement, and the InfoLider influence operation in Moldova, all aligning with Russian strategic goals. Neither **Grinex**’s announcement nor **Elliptic**’s or **TRM Labs**’ reports provide concrete evidence pointing to a specific perpetrator. No technical evidence or indicators were provided to substantiate the exchange’s attribution to Western intelligence services. BleepingComputer has reached out to **Grinex** for comment regarding the attribution of the attack but has not yet received a response.