A Kyrgyzstan-based crypto exchange, Grinex, went offline last Thursday, 16 April, suspending all operations after becoming the victim of a security breach that left a massive dent in its accounts. As per the incident updates shared on Telegram and the official website (grinex.io), the exchange revealed that the hackers managed to steal around 1 billion rubles (about $13.7 million).
Grinex has taken the unusual step of blaming Western intelligence agencies for the theft. The exchange claimed that the unprecedented level of technology used in the attack suggests it was carried out by state-funded espionage actors aiming to disrupt Russia’s financial systems.
However, blockchain analysis firm Chainalysis has questioned this story. After examining the digital trail, Chainalysis researchers noted that the movement of the stolen money does not match the typical behaviour of government agencies.
“Russia has a well-documented history of employing false flag tactics across multiple domains, from staging physical sabotage to justify military aggression, to deploying state-aligned “hacktivist” groups to create smokescreens in cyberspace,” Chainalysis blog post reads.
Technical Clues Point to a Possible Exit Scam
Chainalysis’s research also suggests the hack might actually be an internal move, known as an exit scam, because the stolen funds were originally fiat-backed stablecoins. Instead of being frozen by authorities, which is the standard method used by Western law enforcement, the funds were quickly moved through a Tron-based Decentralised Exchange (DEX).
The hackers then swapped the stablecoins for TRX (Tron tokens), a move that threat actors typically use to prevent their assets from being frozen by coin issuers. Further investigation revealed that the cyberattackers used the same DEX that Grinex’s predecessor, Garantex, used in the past to fund its hot wallets. Currently, 45.89 million TRX is stored in a single wallet address: TH9kgjfrKeTNeyXtDKvxCXZ1dVKr7neKVa.
Grinex and the Sanctions Net
Grinex has been under heavy international pressure for some time. It was established as a successor to Garantex, which was sanctioned by the US in 2022. Grinex itself was added to the US OFAC, UK, and EU sanctions lists last year.
The platform was a major hub for the A7A5 token, issued by the Kyrgyzstani firm Old Vector. This token was specifically designed to help users bypass sanctions, handling over $93.3 billion in transactions last year alone.
This token was created by a firm in Kyrgyzstan called Old Vector, which is currently on international sanctions lists. Since both the token and the Old Vector were already being monitored by international regulators, the exchange’s sudden shutdown has cut off a major route for avoiding financial restrictions.
While Grinex says it has filed a criminal complaint and shared data with law enforcement, the digital evidence has left many experts sceptical. Whether a cyberattack truly hit the platform or the shutdown was a staged move by insiders to steal cash, the result has effectively disabled a vital infrastructure used for Russian sanctions evasion.
