Sanctioned Grinex exchange loses $13.7M, pins breach on 'Western intelligence'

Grinex, a Kyrgyzstan-based crypto exchange widely regarded as a rebrand of the seized Russian platform Garantex, halted operations after attackers drained $13.7 million from wallets holding Russian user funds. The exchange claims the sophistication and resourcing point to a nation-state actor tied to hostile foreign intelligence services aiming to undermine Russia’s financial sovereignty, though no technical indicators have been published to support that attribution.

Elliptic traced the stolen funds to TRON and Ethereum addresses, where they were swapped into TRX and ETH via SunSwap. TRM Labs mapped 70 attacker-controlled addresses and flagged a parallel intrusion at TokenSpot, a sister Kyrgyz exchange linked to Houthi laundering networks, weapons procurement, and the InfoLider influence campaign in Moldova.

The incident lands months after U.S. Treasury sanctions hit Grinex for continuing Garantex’s sanctions-evasion role, including operations around the A7A5 ruble-backed stablecoin. Attribution to Western agencies remains unsupported by published evidence and reads more as narrative positioning than forensic conclusion — convenient framing for a platform whose core value proposition is sanctions circumvention.