US-sanctioned currency exchange says $15 million heist done by "unfriendly states"

Grinex says needed hacking resources “available exclusively to … unfriendly states.”

Grinex, a US-sanctioned cryptocurrency exchange registered in Kyrgyzstan, said it’s halting operations after experiencing a $13 million heist carried out by “western special services” hackers.

Researchers from TRM, which has confirmed the theft, put the value of stolen assets at $15 million after discovering roughly 70 drained addresses, about 16 more than Grinex reported. Neither TRM nor fellow blockchain research firm Elliptic has said how the attackers slipped past Grinex’s defenses. Grinex said it has been under almost constant attack attempts since incorporating 16 months ago. The latest attacks, it said, targeted Russian users of the exchange.

Damaging “Russia’s financial sovereignty”

“The digital footprints and nature of the attack indicate an unprecedented level of resources and technology available exclusively to the structures of unfriendly states,” Grinex said . “According to preliminary data, the attack was coordinated with the aim of causing direct damage to Russia’s financial sovereignty.”

“Due to the attack, the Grinex exchange is forced to suspend operations,” Grinex continued. “All available information has been transferred to law enforcement agencies. An application has been submitted to the location of the infrastructure to initiate a criminal case.”

TRM said that TokenSpot, a second Kyrgyzstan-based exchange, was also breached. Two of the exchange’s addresses sent funds to the same consolidation address used by the affected Grinex-linked wallets. What’s more, both exchanges became inoperable on Wednesday, suggesting they were hit by the same attacker.

TRM said TokenSpot was a front for Grinex, which the US Treasury Department sanctioned last year. The department’s Office of Foreign Assets Control said that Grinex, in turn, was a rebrand of Garantex, an exchange it had sanctioned in 2022 . The department said then that Ganantex had “directly facilitated notorious ransomware actors and other cybercriminals by processing over $100 million in transactions linked to illicit activities since 2019.” Last year’s sanctions against Grinex came a few months after TRM said that the exchange was likely a front for Ganantex.

TRM said Thursday that it couldn’t confirm Grinex’s claim that Western special services were behind the heist. TRM also said that the theft didn’t appear to be performed by insiders in an attempt to liquidate assets before abandoning the exchange.

“Based on the relatively low total value drained, the indiscriminate targeting of both large and small wallets across multiple platforms including TokenSpot—which has since resumed operations after claiming a technical issue—TRM assesses this incident was more likely an external cyber operation rather than an exit scam.”

Elliptic said that Grinex has “strong ties to Russia and is one of the largest exchanges for exchanging Russian rubles for cryptoassets.” To date, it has processed transactions totaling more than $6 billion.

“It is likely that Grinex has common ownership and management with Garantex and was established as a response to the sanctions imposed on Garantex,” Elliptic said. “Following the shutdown of Garantex, much of its liquidity and clients migrated to Grinex.”

The drained Grinex accounts, Elliptic said, had outgoing transactions totaling about $15 million in USDT, an ethereum-based stablecoin its backers say is pegged to the value of the US dollar. The funds were then sent to further accounts on the TRON or ethereum blockchains. The USDT was then converted to either the TRX or ETH currencies. That conversation allowed the attackers to avoid the risk of the stolen assets being frozen by Tether, the company that issues the USDT stablecoin.