The Grinex cryptomoneda exchange platform, registered in Kyrgyzstan, announced the suspension of its operations after a theft of approximately $13.7 million. According to the exchange itself, the funds stolen came from portfolios linked to Russian users, a direct consequence that Grinex facilitated crypto- ruble operations between Russian companies and individuals.
The company attributes the attack to actors with capabilities that, in its opinion, would only be within reach of foreign intelligence services and states that the nature of the incident and fingerprints indicate a level of resources and technology outside the scope of common crime. This was made public in its communiqué and is available on the official website of the platform Grinex but not accompanied by open technical indicators to allow independent verification.
The blockchain analysis companies that have studied the trail of the funds coincide in the basic mechanics of the looting: the transfer of assets to directions in the TRON and Ethereum networks and their subsequent conversion to TRX and ETH through the decentralized protocol SunSwap. A technical report from the Elliptic firm collects the schedule and structure of these transactions and describes how the funds were tried to move and mix to make it difficult to trace them ( Elliptic).
In addition to Elliptic's analysis, the TRM Labs consultant located dozens of addresses related to the attack and documented a parallel incident in TokenSpot, another Kyrgyzstan-based exchange and reputational links with Grinex. TRM has identified links between TokenSpot and laundering activities associated with geopolitical actors in the region, as well as influence campaigns and material purchases, adding a layer of complexity to the context in which these theft occurs ( TRM Labs).
Grinex's history also complicates the narrative. The platform began to operate recently and, according to researchers and regulators, it was born as a successor or reissue of Garantex, a Russian exchange whose administrator was arrested and whose pages were intervened for alleged links to illegal operations and the processing of opaque funds. Analysis reports and subsequent sanctions indicate that Grinex would have assumed much of the functional structure of the previous platform, including a ruble-backed stablecoin that facilitated transactions in the Russian environment.
In this regard, international agencies and enforcement agencies have shown concern that certain critical services offer ways to avoid financial restrictions. According to specialized publications, in August 2025, there were punitive actions by the U.S. Treasury Department directed at entities related to this operational continuity between Garantex and Grinex, claiming that the new entity maintained actors and flows similar to those of its predecessor. To understand the context of these measures and how they fit into the policy of sanctions, the analysis of signatures such as Elliptic and TRM is useful.
Although the exchange and some observers speak of a geopolitical-motivated attack, it is important to stress that digital world powers are complex. For the time being, sufficient technical evidence has not been published to identify those responsible unambiguously or to confirm the direct involvement of a Western intelligence service. The above-mentioned public investigations do not contain fully verifiable forensic indicators that point to a particular actor beyond the description of the modus operandi and the chain trail.
From a technical point of view, converting assets through different blockchains and DEXes like SunSwap is a regular tactic to fragment the trail and make recovery difficult. However, it is also true that the very immutability and transparency of many chains allows analysts to follow the tracks with advanced on-chain analysis tools, which often facilitates the identification of patterns, intermediate exchanges and relationship between directions.
For affected users and third parties following the news, there is a clear lesson: the custody of funds and security controls remain the critical point. Exchanges with opaque legal structures or with a loaded regulatory background often involve greater risks, both due to exposure to malicious actors and the difficulty of receiving support and resources in case of incidents. Meanwhile, criminal and regulatory investigations must combine digital forensia with international cooperation to increase the likelihood of attribution and recovery.
The geopolitical implications are not minor. If it was confirmed that the aim of the attack was to damage structures that facilitate the evasion of sanctions, we are facing an example of how financial war and cyberwar intersect. But there is also the opposite risk: the use of premature or undocumented powers to justify reprisals or sanctions without robust public evidence. In this sensitive area, independent analysts and transparency in the publication of evidence are elements of responsibility.
The episode also highlights the need for stronger regulatory and security frameworks in jurisdictions that have become a shelter for platforms with international links. Coordination between authorities, both in the cyber and financial fields, is essential to face threats that mix organized crime, abuse of critical infrastructure and strategic objectives.
As for the follow-up of the case, the reports of the blockchain firms and the statements of the platforms themselves are the main public source for now. For readers who want to deepen the investigation and see the analysis of the route of transactions, see Elliptic's study of the incident ( Elliptic) and the TRM Labs report documenting both the attack on Grinex and the impact on TokenSpot ( TRM Labs) as well as the official page of Grinex with its communiqués ( Grinex).
The story is far from being closed: the results of forensic investigations remain to be seen, the possible recovery of assets and whether the relevant authorities will open formal criminal cases. Meanwhile, the episode serves as a reminder that, in the critical markets, technical security, corporate transparency and regulatory supervision are inseparable pieces to reduce both the exposure to fraud and the geopolitical instrumentalization of digital assets.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...