Grinex crypto exchange shuts down, blames Western agencies for $13.7M breach

Summary

Kyrgyzstan-based crypto exchange Grinex went offline after a breach resulted in the theft of approximately 1 billion rubles ($13.7M). The exchange blamed Western intelligence agencies, but blockchain analysis firm Chainalysis questioned this narrative, suggesting the incident may be an internal exit scam based on the fund movement patterns through Tron DEX. Grinex was a successor to the sanctioned Garantex exchange and served as a major hub for sanctions evasion, particularly through the A7A5 token issued by Old Vector.

Full text

Data Breaches Crypto Cyber Crime SecurityGrinex crypto exchange shuts down, blames Western agencies for $13.7M breach Grinex exchange collapses after $13.7M breach, blames Western spies as Chainalysis flags possible exit scam and sanctions evasion network links claims. byDeeba AhmedApril 21, 20262 minute read A Kyrgyzstan-based crypto exchange, Grinex, went offline last Thursday, 16 April, suspending all operations after becoming the victim of a security breach that left a massive dent in its accounts. As per the incident updates shared on Telegram and the official website (grinex.io), the exchange revealed that the hackers managed to steal around 1 billion rubles (about $13.7 million). Grinex has taken the unusual step of blaming Western intelligence agencies for the theft. The exchange claimed that the unprecedented level of technology used in the attack suggests it was carried out by state-funded espionage actors aiming to disrupt Russia’s financial systems. Message on Grinex’s website translated to English from Russian However, blockchain analysis firm Chainalysis has questioned this story. After examining the digital trail, Chainalysis researchers noted that the movement of the stolen money does not match the typical behaviour of government agencies. “Russia has a well-documented history of employing false flag tactics across multiple domains, from staging physical sabotage to justify military aggression, to deploying state-aligned “hacktivist” groups to create smokescreens in cyberspace,” Chainalysis blog post reads. Technical Clues Point to a Possible Exit Scam Chainalysis’s research also suggests the hack might actually be an internal move, known as an exit scam, because the stolen funds were originally fiat-backed stablecoins. Instead of being frozen by authorities, which is the standard method used by Western law enforcement, the funds were quickly moved through a Tron-based Decentralised Exchange (DEX). The hackers then swapped the stablecoins for TRX (Tron tokens), a move that threat actors typically use to prevent their assets from being frozen by coin issuers. Further investigation revealed that the cyberattackers used the same DEX that Grinex’s predecessor, Garantex, used in the past to fund its hot wallets. Currently, 45.89 million TRX is stored in a single wallet address: TH9kgjfrKeTNeyXtDKvxCXZ1dVKr7neKVa. Digital trail of stolen funds (source: Chainalysis) Grinex and the Sanctions Net Grinex has been under heavy international pressure for some time. It was established as a successor to Garantex, which was sanctioned by the US in 2022. Grinex itself was added to the US OFAC, UK, and EU sanctions lists last year. The platform was a major hub for the A7A5 token, issued by the Kyrgyzstani firm Old Vector. This token was specifically designed to help users bypass sanctions, handling over $93.3 billion in transactions last year alone. This token was created by a firm in Kyrgyzstan called Old Vector, which is currently on international sanctions lists. Since both the token and the Old Vector were already being monitored by international regulators, the exchange’s sudden shutdown has cut off a major route for avoiding financial restrictions. While Grinex says it has filed a criminal complaint and shared data with law enforcement, the digital evidence has left many experts sceptical. Whether a cyberattack truly hit the platform or the shutdown was a staged move by insiders to steal cash, the result has effectively disabled a vital infrastructure used for Russian sanctions evasion. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. CryptoCyber AttackCybersecuritydata breachGrinexKyrgyzstanRussia Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Crime Malware Android Banking Trojan Linked to Cambodia Scam Compounds Hits 21 Countries Android banking trojan linked to Cambodia scam compounds uses forced labour to target users in 21 countries, bypassing security to steal funds. byWaqas Security Facebook’s New Security Checkup Tool To Protect User Accounts Facebook has officially launched the new Security Checkup feature that was being tested on a narrow user-base for… byWaqas Read More Security News Scams and Fraud Deepfake Threat: $2 Deceptive Content Undermines Election Integrity In 2024, over 60 countries worldwide are holding elections. The most significant threat to the integrity of these elections? Deepfake videos, readily accessible on the dark web and Telegram, with prices ranging from as low as $2 to $100. byDeeba Ahmed Read More Security Privacy Server with Rockerbox Tax Firm Data Exposed 286GB of Records Cybersecurity researcher Jeremiah Fowler uncovered a massive 286GB data exposure at Texas-based Rockerbox, a tax credit consultancy. Exposed data includes SSNs, DD214s, and financial details, raising serious identity theft and fraud concerns. byDeeba Ahmed

Indicators of Compromise

• domain — grinex.io

Entities