### Grinex Claims Sophisticated Cyberattack **Grinex**, a Kyrgyzstan-incorporated cryptocurrency exchange, announced its suspension of operations after attributing a significant hack to Western intelligence agencies. The exchange claims a loss of over 1 billion rubles (approximately $13.74 million) due to the incident. According to Grinex's statement, the cyberattack displayed "an unprecedented level of resources and technological sophistication – capabilities typically available exclusively to the agencies of hostile states." They further suggest the attack was coordinated to directly damage Russia's financial sovereignty. The company stated its infrastructure had been under attack since its inception, with this latest incident marking a significant escalation. ### From Garantex to Grinex: A Sanctioned History Grinex is widely considered a rebrand of **Garantex**, a cryptocurrency exchange sanctioned by the U.S. Treasury Department in April 2022. The sanctions stemmed from Garantex's alleged role in laundering funds tied to ransomware operations and darknet markets like **Conti** and **Hydra**. The Treasury renewed sanctions against Garantex in August 2025 for processing over $100 million in illicit transactions and enabling money laundering. Following the initial sanctions, **Elliptic** and **TRM Labs** reported that Garantex reportedly shifted its customer base to Grinex and continued operations using a ruble-backed stablecoin, A7A5. ### Sanctions Evasion Tactics Elliptic reported in February that **Rapira**, a Georgia-incorporated exchange with a Moscow office, engaged in over $72 million in direct cryptoasset transactions with Grinex, highlighting ongoing sanctions evasion efforts. Elliptic reported that the Grinex asset theft occurred on April 15, 2026, around 12:00 UTC. The stolen funds were subsequently transferred to accounts on the **TRON** or **Ethereum** blockchains. The stolen **USDT** was then converted to **TRX** or **ETH**, likely to circumvent potential freezing by **Tether**. ### TokenSpot Connection TRM Labs identified approximately 70 addresses linked to the breach, also noting that **TokenSpot**, a Kyrgyzstan-based exchange suspected of operating as a front for Grinex, was simultaneously affected. TokenSpot announced temporary unavailability due to technical maintenance on the same day as the Grinex breach. While operations resumed the following day, the attacker is estimated to have stolen less than $5,000 from TokenSpot, with funds routed through TokenSpot addresses to a consolidation address also used by Grinex-linked wallets. ### False Flag Speculation **Chainalysis** noted the rapid conversion of stablecoins to non-freezable tokens as a common laundering tactic. They also raised the possibility of a false flag operation, stating, "Whether this event represents a legitimate exploit by cybercriminals or an orchestrated false flag operation by Russia-linked insiders, the disruption of Grinex deals a significant blow to the infrastructure supporting Russian sanctions evasion."