GRINEX , a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, has said it is suspending operations after blaming Western intelligence agencies for a $13.74 million hack. The firm described the attack as large-scale and said it bore hallmarks of foreign intelligence involvement, with more than 1 billion rubles reportedly stolen from user accounts.
Digital forensic evidence was cited by the company, which claimed the attack showed resources and sophistication typically available only to hostile-state agencies. According to the Treasury, and details shared by Elliptic and TRM Labs, Garantex is believed to have moved its customer base to Grinex in response to sanctions and to have persisted using a ruble-backed stablecoin called A7A5.
The incident also involved TokenSpot, which briefly went offline on the day of the breach and announced a return to full operation the following day, with a small amount of funds allegedly moved through TokenSpot addresses to the Grinex-linked wallets. Chainalysis described the asset movements as a rapid swap from stablecoins to non-freezable tokens to launder illicit proceeds.