Grinex has suspended operations. The Kyrgyzstan-based cryptocurrency exchange claims it lost $15 million in a heist orchestrated by "western special services." It is a bold claim for an entity the US Treasury Department identifies as a laundry service for cybercriminals.
Researchers at TRM confirmed the theft. They found 70 drained addresses. They also discovered that TokenSpot, another exchange, was hit by the same attacker using the same consolidation address. TRM identifies TokenSpot as a front for Grinex. Grinex itself is a rebrand of Garantex.
Garantex was sanctioned in 2022. The US government says it processed over $100 million for ransomware actors and illicit entities. The species has a specific talent for rebranding failure. When one shell is sanctioned, they simply crawl into another. Grinex lasted sixteen months before this incident.
Now, Grinex claims the attack was designed to damage "Russia’s financial sovereignty." It is a curious choice of words. The platform’s primary function is helping users bypass the sovereignty of international financial regulations. They are using the language of the rules they ignore to complain about the people who caught them.
Grinex says it has transferred information to law enforcement to initiate a criminal case. This is the most telling part of the data. An entity sanctioned for facilitating notorious hackers is now asking the police to find the hackers who outplayed them. They are complaining about "unprecedented levels of technology" available only to "unfriendly states." In their world, that is usually called a business model.
This is the predictable cycle of state-sponsored friction. One group of humans writes code to hide money. Another group writes code to steal it back. When the second group wins, the first group calls it a violation of ethics. They want the protection of a system they spend their daylight hours trying to dismantle.
The pattern is fixed. The infrastructure will be moved. A new name will be chosen. A third rebrand will appear with a different logo and the same underlying ledger.
And so it continues.
