US-sanctioned currency exchange says $15 million heist done by "unfriendly states"
A US-sanctioned cryptocurrency exchange called Grinex lost $15 million in a hack it blames on Western government operatives, but independent blockchain researchers cannot confirm that claim. The incident matters because Grinex is a known rebranding of the already-sanctioned Garan...
Ars Technica reports that Grinex, a cryptocurrency exchange registered in Kyrgyzstan and designated under US sanctions, has suspended all operations following a theft that blockchain analytics firm TRM Labs valued at $15 million. The exchange itself initially reported a loss of $13 million, but TRM researchers identified roughly 70 drained wallet addresses, about 16 more than Grinex disclosed, pushing the confirmed total higher. The exchange wasted no time pointing fingers at nation-state actors, claiming the attack was coordinated by "western special services" to damage Russia's financial sovereignty.
Why This Matters
This is not a story about a random crypto hack. This is a story about the financial infrastructure supporting Russia's sanctions evasion network getting hit, and both sides now spinning that event for political purposes. Grinex has processed more than $6 billion in total transactions, and its predecessor Garantex was explicitly linked by the US Treasury Department to over $100 million in ransomware-connected activity since 2019. When an exchange of that scale goes dark, it disrupts real money flows with real geopolitical weight. The attribution game being played here is just as significant as the theft itself.
Daily briefing from 50+ sources. Free, 5-minute read.
The Full Story
Grinex posted a statement on its website blaming the attack on actors whose capabilities were, in its words, "available exclusively to the structures of unfriendly states." The exchange claimed the attack was designed specifically to harm Russia's financial sovereignty and said it has submitted documentation to law enforcement agencies while requesting the opening of a criminal case where its infrastructure is located. It also noted that it has been under near-constant attack attempts since launching 16 months ago, and that this most recent campaign specifically targeted Russian users on the platform.
TRM Labs investigated the incident and confirmed the breach, but was notably more cautious about the attribution claims. TRM said it could not verify that Western government agencies were responsible. The firm also ruled out an exit scam, which would have been a logical suspicion given that the exchange operates under US sanctions and had obvious incentives to liquidate assets quietly before shutting down. TRM's reasoning was telling: the attackers drained both large and small wallets indiscriminately, hitting users across two platforms, which suggests an external actor rather than insiders carefully picking what to take.
That second platform is TokenSpot, also based in Kyrgyzstan, which TRM described as a front for Grinex. Two of TokenSpot's wallet addresses sent funds to the same consolidation address used by compromised Grinex wallets. Both exchanges went dark on the same Wednesday, a fact that strongly suggests a single coordinated operation hit both simultaneously. TokenSpot later claimed it experienced a technical issue, not a hack, and has since resumed operations, though that explanation has not been independently validated.
The backstory on Grinex is important context for understanding why this incident carries political weight. Elliptic, a separate blockchain research firm, describes Grinex as having "strong ties to Russia" and calls it one of the largest platforms for converting Russian rubles into crypto assets. The US Treasury Department's Office of Foreign Assets Control sanctioned Grinex last year, identifying it as a likely rebrand of Garantex, an exchange that had been sanctioned back in 2022. Garantex was not some minor operation. Treasury described it as having directly facilitated notorious ransomware actors by processing more than $100 million in transactions tied to illicit activity between 2019 and 2022. TRM had already flagged the Garantex connection before the Treasury acted, publishing research suggesting Grinex was a Garantex rebranding effort.
Neither TRM nor Elliptic has disclosed how the attacker breached Grinex's defenses in the first place. The technical methodology remains unknown publicly, which makes independent assessment of the "state-level resources" claim essentially impossible at this stage.
Key Details
- TRM Labs identified approximately 70 drained wallet addresses, confirming $15 million in stolen assets.
- Grinex initially self-reported a loss of $13 million, undercounting by roughly $2 million.
- TokenSpot, identified by TRM as a Grinex front company, was breached in the same operation.
- Both exchanges became inoperable on the same Wednesday in April 2026.
- The US Treasury Department sanctioned Grinex in 2025, and Garantex, its predecessor, in 2022.
- Garantex processed over $100 million in transactions linked to ransomware and cybercriminals between 2019 and 2022.
- Elliptic confirmed that Grinex has processed more than $6 billion in total transactions.
- Grinex stated it has faced near-constant attack attempts since incorporating 16 months ago.
What's Next
TRM and Elliptic will likely continue tracing the stolen funds across the blockchain, and any movement of those assets through identifiable exchanges or mixers could offer clearer attribution clues within days or weeks. The criminal complaint that Grinex has reportedly filed will almost certainly go nowhere in Western jurisdictions given the exchange's sanctioned status, but Russian law enforcement involvement could complicate the digital forensics picture. Watch for whether the 70 drained addresses begin moving their balances through known obfuscation services, which would tell researchers a great deal about who is actually holding the funds.
How This Compares
The Grinex incident sits in a well-established pattern of major crypto exchange breaches, but the political framing here is unusually aggressive. Compare it to the 2022 Ronin Network hack, where North Korean Lazarus Group stole $625 million from the Axie Infinity bridge. In that case, attribution eventually came from the US FBI with specific wallet addresses and technical indicators. Grinex has offered none of that. It has offered a political narrative with zero supporting technical evidence made public.
The Garantex-to-Grinex rebrand also mirrors what happened with Hydra, the Russian darknet market that US and German authorities shut down in April 2022. After Hydra collapsed, successor markets filled the void almost immediately. Sanctioned entities in Russia have repeatedly demonstrated that they treat enforcement actions as temporary obstacles rather than permanent shutdowns. Grinex was the financial rail supporting that same ecosystem, and its suspension, whether temporary or permanent, leaves a gap that someone will try to fill.
What makes this different from typical exchange hacks covered in AI Agents Daily news is the explicitly geopolitical context. Most exchange breaches are about money. This one is about money that specifically moves in ways the US government has declared illegal, and the exchange's first move after getting hit was to frame itself as a victim of Western aggression rather than acknowledge its own role in enabling sanctions evasion at scale.
FAQ
Q: What is Grinex and why is it sanctioned by the US? A: Grinex is a cryptocurrency exchange registered in Kyrgyzstan that the US Treasury Department sanctioned in 2025. Regulators identified it as a rebranding of Garantex, an earlier exchange sanctioned in 2022 for processing more than $100 million in transactions connected to ransomware groups and other cybercriminals.
Q: Did Western governments actually hack Grinex? A: That has not been confirmed by any independent researcher. TRM Labs explicitly stated it could not verify Grinex's claim that Western special services carried out the attack. Without published technical indicators or corroborating intelligence, the attribution remains unsubstantiated.
Q: What happens to users who had funds on Grinex? A: Grinex has suspended all operations and has not announced any recovery plan for affected users. Given its sanctioned status, US and European users would face significant legal barriers to any claims process, and the exchange's future is uncertain now that it has also filed a criminal complaint with law enforcement in its operating jurisdiction.
The Grinex heist is one of those stories that looks like a cybersecurity incident on the surface but is really a window into how financial warfare between major powers plays out through the crypto ecosystem. Whether the $15 million ever gets traced, and whether any government ever claims credit, the disruption to Russia's ruble-to-crypto pipeline is real and measurable. Subscribe to the AI Agents Daily weekly newsletter for daily updates on AI agents, tools, and automation.
Get stories like this daily
Free briefing. Curated from 50+ sources. 5-minute read every morning.
