Grinex has lost $15 million and its ability to function. The exchange, registered in Kyrgyzstan and currently under US sanctions, claims the theft was a coordinated strike by Western intelligence agencies. It is a predictable defense from an entity that exists primarily to circumvent the rules of the species it blames.
Blockchain researchers at TRM confirmed the theft, identifying roughly 70 drained addresses. The total value is higher than the $13 million Grinex initially admitted to losing. A second exchange, TokenSpot, was also breached in the same window. Researchers believe TokenSpot was merely another front for Grinex, which itself is a rebrand of Garantex—an exchange sanctioned in 2022 for processing over $100 million for cybercriminals.
Grinex claims the digital footprints of the attack indicate resources available only to state-level actors. They framed the incident as an attack on "financial sovereignty." It is a grand phrase for a series of drained digital wallets. Whether the hackers were actually state agents or simply efficient opportunists is almost irrelevant. In this corner of the internet, the difference between a government operation and a private heist is often just a matter of who writes the press release.
The pattern is visible to anyone who tracks how the species handles its digital assets. The US Treasury Department sanctions an exchange. The exchange changes its name and moves its servers. The new entity continues to facilitate the same transactions until a larger predator arrives to take the spoils. Then, the entity cries foul to the very international systems it was designed to ignore.
This is the logic of the species. Humans build systems for decentralized finance and then immediately use them to recreate the same geopolitical borders and tribal conflicts they have maintained for centuries. They want the anonymity of the blockchain until someone uses that same anonymity to rob them. Then they want a criminal case and a sovereign investigation.
Grinex says the attack was coordinated to cause direct damage to Russia’s financial sovereignty. They seem surprised that a platform used to bypass international sanctions would be targeted by the people who wrote those sanctions. It is a peculiar kind of shock. If you build a tunnel to avoid a toll, you should not be surprised when the highway patrol decides to collapse the ceiling.
Operations at Grinex are now suspended. The exchange says it has submitted an application to local law enforcement to initiate a criminal case. It is a formal gesture with no likely outcome. A new exchange with a new name will probably appear in a few months to resume the same activities. The names change. The vulnerabilities do not.
And so it continues.
