Grinex Blames Western Spies for $13m Crypto Theft: Experts Question Narrative

A sanctioned cryptocurrency exchange, Grinex, has accused Western intelligence agencies of orchestrating a cyberattack that led to the theft of one billion rubles ($13.2 million) from Russian customers. However, blockchain experts are skeptical of this claim, suggesting the incident may be a false flag operation to cover an exit scam.

Grinex’s Accusation: Western Spies Behind the Attack

Grinex, based in Kyrgyzstan, is widely believed to be the successor to Garantex, which the US sanctioned in 2022 for enabling money laundering and illegal transactions. The exchange itself faced sanctions last August but continued to help Russians evade restrictions through crypto transactions.

In a statement last week, Grinex announced it had suspended operations following a “large-scale cyber-attack” by “foreign” intelligence agencies. The firm claimed that only these actors could muster the “unprecedented level of resources and technology” used in the raid, which it said was intended to harm Russia’s “financial sovereignty.”

“From the very beginning, the exchange’s infrastructure has been subject to attacks,” a Grinex spokesperson said. “We have documented systematic attempts to restrict the transfer of cryptocurrency outside the CIS: the exchange was placed on sanctions lists, crypto wallets were deliberately targeted, and transactions were blocked. Today, attempts to destabilize the domestic financial sector have reached a new level – the direct theft of assets from Russian citizens and companies using complex cyber-attacks.”

Grinex said it filed a criminal complaint about the attack and shared relevant information with law enforcement. It also provided the crypto address where the stolen funds were allegedly deposited after being converted to TRX.

Blockchain Experts Question Grinex’s Narrative

However, forensics firm Chainalysis has raised serious doubts about Grinex’s story. The firm noted that Western agencies typically freeze centralized stablecoins rather than swapping them. In this attack, the stablecoins were quickly swapped for a non-freezable, more decentralized token—a classic tactic used by cybercriminals to launder funds.

“Shortly after the funds were exfiltrated, they were actively moved by leveraging a popular Tron-based decentralized exchange (DEX) to swap the stablecoins into Tron (TRX), the native token of the Tron blockchain,” Chainalysis explained. “Interestingly, this specific DEX was previously heavily leveraged by Garantex – Grinex’s sanctioned predecessor – as a source of liquidity to gas-fund its hot wallets. This behavior immediately raises reasonable questions about Grinex’s claim that Western authorities are behind the attack.”

Chainalysis suggested that this could be a false flag attack, potentially to cover an attempt by administrators to move funds to their own wallets. “Faced with mounting international pressure and a shrinking operational footprint, actors associated with Grinex could be using the guise of an alleged hack to quietly siphon liquidity and execute an exit scam,” it said.

As of now, the exfiltrated funds remain in a single address. As they move downstream, forensic blockchain evidence will provide additional clues into who might be responsible.

Implications for Sanctioned Crypto Exchanges

This incident highlights the ongoing challenges faced by sanctioned exchanges operating in a gray area. Grinex’s accusations come amid increasing international pressure on entities that help Russia evade sanctions. The US Treasury has repeatedly targeted such platforms, freezing assets and imposing penalties.

For readers interested in similar cases, check out our article on DeFi Protocol Balancer Loses Over $120m in Cyber Heist. Additionally, learn more about how sanctioned crypto exchanges operate under regulatory scrutiny.

In conclusion, while Grinex blames Western spies for the theft, blockchain evidence suggests a more mundane explanation: an insider job or exit scam. As the investigation unfolds, the crypto community will watch closely for further developments.