Grinex Blames Western Spies for $13m Crypto Theft: Experts Question Narrative

A sanctioned cryptocurrency exchange, Grinex, has accused Western intelligence agencies of orchestrating a cyberattack that led to the theft of one billion rubles ($13.2 million) from Russian customers. However, blockchain experts are skeptical of this claim, suggesting the incident may be a false flag operation to cover an exit scam.

Grinex’s Accusation: Western Spies Behind the Attack

Grinex, based in Kyrgyzstan, is widely believed to be the successor to Garantex, which the US sanctioned in 2022 for enabling money laundering and illegal transactions. The exchange itself faced sanctions last August but continued to help Russians evade restrictions through crypto transactions.

In a statement last week, Grinex announced it had suspended operations following a “large-scale cyber-attack” by “foreign” intelligence agencies. The firm claimed that only these actors could muster the “unprecedented level of resources and technology” used in the raid, which it said was intended to harm Russia’s “financial sovereignty.”

“From the very beginning, the exchange’s infrastructure has been subject to attacks,” a Grinex spokesperson said. “We have documented systematic attempts to restrict the transfer of cryptocurrency outside the CIS: the exchange was placed on sanctions lists, crypto wallets were deliberately targeted, and transactions were blocked. Today, attempts to destabilize the domestic financial sector have reached a new level – the direct theft of assets from Russian citizens and companies using complex cyber-attacks.”

Grinex said it filed a criminal complaint about the attack and shared relevant information with law enforcement. It also provided the crypto address where the stolen funds were allegedly deposited after being converted to TRX.

Blockchain Experts Question Grinex’s Narrative

However, forensics firm Chainalysis has raised serious doubts about Grinex’s story. The firm noted that Western agencies typically freeze centralized stablecoins rather than swapping them. In this attack, the stablecoins were quickly swapped for a non-freezable, more decentralized token—a classic tactic used by cybercriminals to launder funds.

“Shortly after the funds were exfiltrated, they were actively moved by leveraging a popular Tron-based decentralized exchange (DEX) to swap the stablecoins into Tron (TRX), the native token of the Tron blockchain,” Chainalysis explained. “Interestingly, this specific DEX was previously heavily leveraged by Garantex – Grinex’s sanctioned predecessor – as a source of liquidity to gas-fund its hot wallets. This behavior immediately raises reasonable questions about Grinex’s claim that Western authorities are behind the attack.”

Chainalysis suggested that this could be a false flag attack, potentially to cover an attempt by administrators to move funds to their own wallets. “Faced with mounting international pressure and a shrinking operational footprint, actors associated with Grinex could be using the guise of an alleged hack to quietly siphon liquidity and execute an exit scam,” it said.

As of now, the exfiltrated funds remain in a single address. As they move downstream, forensic blockchain evidence will provide additional clues into who might be responsible.

Implications for Sanctioned Crypto Exchanges

This incident highlights the ongoing challenges faced by sanctioned exchanges operating in a gray area. Grinex’s accusations come amid increasing international pressure on entities that help Russia evade sanctions. The US Treasury has repeatedly targeted such platforms, freezing assets and imposing penalties.

For readers interested in similar cases, check out our article on DeFi Protocol Balancer Loses Over $120m in Cyber Heist. Additionally, learn more about how sanctioned crypto exchanges operate under regulatory scrutiny.

In conclusion, while Grinex blames Western spies for the theft, blockchain evidence suggests a more mundane explanation: an insider job or exit scam. As the investigation unfolds, the crypto community will watch closely for further developments.

NCSC Outlines Coordinated Plan to Boost NHS Cyber Resilience: Key Steps and Impact

The UK’s National Cyber Security Centre (NCSC) has revealed a comprehensive, coordinated strategy to strengthen NHS cyber resilience across the healthcare sector. Over the past 18 months, government bodies and industry players have deepened their collaboration to reduce cyber risk and improve threat detection, according to a recent NCSC blog post.

This initiative comes in response to a series of devastating cyber attacks that have disrupted patient care and exposed sensitive data. The NCSC’s plan focuses on several key pillars, from piloting new defensive tools to enhancing software supply chain security and sharing threat intelligence more effectively.

Key Pillars of the NCSC’s NHS Cyber Resilience Strategy

The NCSC’s approach is built on multiple strategic pillars designed to create a layered defense for the NHS. These include:

• Active Cyber Defence (ACD) 2.0: Piloting new tools and services to proactively block threats.
• Software Supply Chain Security: Enhancing the security of third-party software used by the NHS.
• Vulnerability Disclosure & Threat Intelligence: Managing disclosures and sharing threat data across the sector.
• Improved Visibility: Using analytics to understand the threat surface and deploy advanced defensive techniques.
• Promoting NCSC Services: Encouraging adoption of tools like the Early Warning service, Cyber Action Toolkit, and Cyber Essentials scheme.

How the NCSC Is Reducing Supplier Risk in Healthcare

A critical element of the plan is addressing NHS supplier risk. Nicholas W., from the NCSC’s National Resilience Directorate, explained that the government’s Software Security Code of Practice is now being used in NHS procurement to assess suppliers’ cyber maturity. In addition, the NCSC has partnered with a healthcare organization to deploy data science tools that help prioritize supplier risks. This initiative will expand by combining incident history, alert data, and vulnerability activity from the NCSC Early Warning service with technical indicators like remediation patterns and exposed attack surfaces.

Furthermore, the NCSC has helped NHS England, the NHS Business Services Authority, and NHS Scotland establish internal vulnerability disclosure processes. These complement the NCSC’s own Vulnerability Reporting Service (VRS), which has supported GP surgeries, NHS trusts, ambulance services, and health boards since 2019.

Practical Tools and Workshops to Boost Cyber Defenses

Beyond policy, the NCSC is rolling out practical measures to strengthen NHS cyber resilience. For instance, the NHS App became the first government-sponsored app to offer passkeys, with more organizations expected to follow. The agency is also continuing work on External Attack Surface Management (EASM) and deception technology experiments across the sector. Analytics are being used to identify and resolve DNS-related risks, while NCSC Threat Hunting Workshops bring together cyber analysts from across the NHS to tackle real-world threats, develop defensive playbooks, and build stronger collaborative relationships.

Why Cyber Resilience Is Critical for the UK Healthcare Sector

The urgency of this plan is underscored by past incidents. The WannaCry campaign in 2017 cost the NHS an estimated £92 million ($118.6 million). More recently, a ransomware attack on supplier Synnovis in 2024 led to the cancellation of 1,500 operations and appointments and has been linked to a patient’s death. The NHS was also hit by a 2022 ransomware attack on IT partner Advanced Computer Software Group, resulting in the theft of data on tens of thousands of individuals and major disruptions to patient referrals, emergency prescriptions, and ambulance dispatches.

As Nicholas W. concluded, “Taken together, this work shows what is possible when organizations align around a shared goal. Effort is coordinated rather than duplicated, lessons are reused, and risk is reduced across the system, not just within individual organizations.” He added, “Most importantly, this approach offers a model for other critical sectors. Cybersecurity challenges are too complex for any one organization to tackle alone.”

For more on securing healthcare systems, read our guide on healthcare cybersecurity best practices and explore how to implement NCSC Cyber Essentials.

OpenAI restricts Cyber access after criticizing Anthropic for limiting Mythos

In a surprising turn of events, OpenAI has decided to restrict access to its cybersecurity tool Cyber, despite earlier criticism of rival Anthropic for doing the same with its Mythos tool. This move has sparked debate about consistency and transparency in the AI industry.

The controversy behind OpenAI restricts Cyber access

Just weeks after OpenAI CEO Sam Altman dismissed Anthropic’s decision to limit Mythos as “fear-based marketing,” the company announced it would roll out GPT-5.5 Cyber only to “critical cyber defenders.” Altman confirmed this on X (formerly Twitter) on Thursday, revealing a stark policy reversal.

Critics quickly pointed out the irony. When Anthropic restricted Mythos, Altman called the tactic unnecessary and overblown. Now, OpenAI is following the same playbook, raising questions about double standards in the industry.

How the Cyber tool works and who gets access

OpenAI’s Cyber tool is designed for advanced cybersecurity tasks, including penetration testing, vulnerability identification, and malware reverse engineering. The application process requires users to submit credentials and planned use cases to gain access.

According to OpenAI’s website, the tool aims to help companies find security holes and test defenses. However, the company fears misuse by malicious actors, which is why access is limited.

The Trusted Access for Cyber (TAC) program

OpenAI has introduced the TAC program to verify legitimate users. A spokesperson told TechCrunch that the system has scaled to thousands of verified defenders and hundreds of teams responsible for protecting critical software. These users can access GPT-5.5 for cybersecurity tasks with fewer safeguards.

The TAC program is tiered, meaning that “critical defenders with legitimate defensive use cases” can apply for access to dedicated models like GPT-5.4-Cyber and the forthcoming GPT-5.5-Cyber.

Industry reactions and the Anthropic comparison

When Anthropic restricted Mythos, Altman called the approach fear-based. Some critics agreed, saying Anthropic’s rhetoric was overblown. Ironically, an unauthorized group reportedly gained access to Mythos anyway, undermining the security rationale.

Now, OpenAI faces similar skepticism. Critics argue that restricting access doesn’t prevent misuse but instead limits innovation. Others point out that the move could be seen as a marketing tactic, just as Altman accused Anthropic of doing.

Building on this, OpenAI says it’s working with the U.S. government to expand access. The company plans to identify more users with legitimate cybersecurity credentials, potentially making Cyber more widely available in the future.

What this means for the cybersecurity landscape

OpenAI restricts Cyber access at a time when cybersecurity threats are escalating. The decision highlights the tension between making powerful tools available for defense and preventing their misuse by attackers.

As a result, the industry is watching closely. Will OpenAI’s TAC program succeed where Anthropic’s failed? Or will restricted access lead to similar breaches and criticism?

For now, the focus remains on balancing security with accessibility. Companies like IBM Security and CrowdStrike offer similar tools but with different access models, suggesting there’s no one-size-fits-all solution.

Ultimately, the debate over OpenAI restricts Cyber access reflects broader questions about AI governance. As tools become more powerful, the challenge is to ensure they’re used responsibly without stifling innovation.