$13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims
المنصة المحظورة Grinex كاتحبس الخدمة ديالها مورا هاك ديال 13.74 مليون دولار؛ وكاتصاوب التهمة للمخابرات الغربية
Sanctioned Grinex Exchange Shuts Down After $13.74M Hack; Blames Western Intelligence
TL;DR: Grinex, a sanctioned cryptocurrency exchange with alleged ties to Russia, has suspended operations following a $13.74 million (1 billion ruble) theft. While the exchange claims the breach was a state-sponsored attack by Western intelligence agencies aimed at undermining Russian financial sovereignty, blockchain analysts suggest the incident may potentially be a "false flag" or insider operation.
The Incident: A "State-Level" Breach
Grinex, a cryptocurrency exchange incorporated in Kyrgyzstan, officially announced the suspension of its operations this week following a massive cyber attack. The platform reported the theft of over 1 billion rubles in user funds, equivalent to approximately $13.74 million.
In a statement published on its website, Grinex characterized the breach as a large-scale operation involving "unprecedented levels of resources and technological sophistication." The exchange explicitly attributed the attack to foreign intelligence agencies from "hostile states," claiming the objective was to inflict direct damage on Russia's financial sovereignty.
According to a company spokesperson, the exchange’s infrastructure has been under constant pressure since its inception, but this latest event represents a significant escalation intended to destabilize the domestic financial sector.
Sanction History and the Garantex Connection
The shuttering of Grinex is significant due to the platform’s history of sanctions evasion. Industry experts and government agencies believe Grinex is a rebrand of Garantex, an exchange sanctioned by the U.S. Treasury in April 2022 for laundering funds for the Conti ransomware group and the Hydra darknet market.
Key details regarding the exchange's operations include:
- Sanctions: Grinex was sanctioned by both the U.K. and the U.S. last year.
- Persistent Operations: Despite sanctions, the exchange reportedly remained operational by using a ruble-backed stablecoin known as A7A5.
- Evasion Networks: Blockchain intelligence firm Elliptic recently revealed that over $72 million in transactions occurred between Grinex and Rapira, a Georgia-incorporated exchange with a Moscow office, further highlighting the exchange's role in bypassing international financial restrictions.
Technical Breakdown: Follow the Money
Blockchain analytics firms tracked the theft, which occurred on April 15, 2026, at approximately 12:00 UTC. The stolen funds followed a specific laundering pattern:
- Transfer: Assets were moved to accounts on the TRON and Ethereum blockchains.
- Conversion: The stolen USDT was rapidly converted into TRX or ETH.
- Risk Mitigation: By swapping to decentralized assets, the attacker ensured that Tether (the issuer of USDT) could not freeze the stolen funds.
TRM Labs identified approximately 70 addresses linked to the hack. The firm also noted that TokenSpot, a Kyrgyzstan-based platform suspected of being a front for Grinex, was impacted simultaneously. However, TokenSpot resumed operations on April 16 after a brief "maintenance" period, with losses estimated at less than $5,000.
Attribution: Hack or False Flag?
While Grinex is adamant that Western intelligence is to blame, the cybersecurity community remains skeptical. Chainalysis observed "frantic swapping" of tokens immediately after the breach—a classic tactic used by cybercriminals to launder proceeds before they are blacklisted.
In its analysis, Chainalysis raised the possibility of a false flag attack. Given the exchange’s heavily sanctioned status and its history of utilizing obfuscation techniques, analysts suggested the "theft" could potentially be an orchestrated operation by Russia-linked insiders.
Conclusion: A Blow to Sanctions Evasion
Regardless of whether the culprit is a foreign intelligence agency, a criminal syndicate, or an insider, the collapse of Grinex represents a major disruption. For now, the infrastructure heavily relied upon for Russian sanctions evasion has suffered a critical—and perhaps permanent—blow.
Source: https://thehackernews.com/2026/04/1374m-hack-shuts-down-sanctioned-grinex.html
