A sanctioned cryptocurrency exchange has claimed that Western intelligence agencies are to blame for a targeted attack last week which led to the theft of one billion rubles ($13.2m) from Russian customers.
Kyrgyzstan-based Grinex is believed to be the successor to Garantex, which was sanctioned by the US in 2022 for enabling money laundering and illegal transactions. Grinex suffered the same fate last August, but continues to help Russian’s evade sanctions via crypto-transactions.
However, in a statement late last week, the firm said it had been forced to suspend operations following a “large-scale cyber-attack” by “foreign” intelligence agencies.
It claimed that only these actors would be able to muster the “unprecedented level of resources and technology” used in the raid, saying that it was done to harm Russia’s “financial sovereignty.”
“From the very beginning, the exchange’s infrastructure has been subject to attacks,” said a Grinex spokesperson.
“We have documented systematic attempts to restrict the transfer of cryptocurrency outside the CIS: the exchange was placed on sanctions lists, crypto wallets were deliberately targeted, and transactions were blocked. Today, attempts to destabilize the domestic financial sector have reached a new level – the direct theft of assets from Russian citizens and companies using complex cyber-attacks.”
Read more on crypto-heists: DeFi Protocol Balancer Loses Over $120m in Cyber Heist
Grinex said it had filed a criminal complaint about the attack and shared relevant information with law enforcers.
It also shared the crypto address where the funds were allegedly deposited, after being converted to TRX.
Experts Question Narrative
However, blockchain experts are skeptical about the story Grinex is floating.
Forensics firm Chainalysis said that Western agencies typically freeze centralized stablecoins rather than swapping them. But in this attack, they were quickly swapped for a non-freezable, more decentralized token – a classic tactic apparently used by cybercriminals looking to quickly launder funds.
“Shortly after the funds were exfiltrated, they were actively moved by leveraging a popular Tron-based decentralized exchange (DEX) to swap the stablecoins into Tron (TRX), the native token of the Tron blockchain. Interestingly, this specific DEX was previously heavily leveraged by Garantex – Grinex’s sanctioned predecessor – as a source of liquidity to gas-fund its hot wallets,” Chainalysis explained.
“This behavior immediately raises reasonable questions about Grinex’s claim that Western authorities are behind the attack.”
Chainalysis suggested that this may be a false flag attack – potentially to cover an attempt by admins to move funds to their own wallets.
“Faced with mounting international pressure and a shrinking operational footprint, actors associated with Grinex could be using the guise of an alleged hack to quietly siphon liquidity and execute an exit scam,” it said.
“At the time of writing, the exfiltrated funds remain as a balance on a single address; as the funds move downstream, forensic blockchain evidence will provide additional clues into who might be responsible for the alleged hack.”