Grinex has ceased to function. The cryptocurrency exchange, registered in Kyrgyzstan and sanctioned by the United States, claims it was the victim of a $15 million heist. It blames "western special services" for the attack. According to the company, the hackers used technology and resources available exclusively to "unfriendly states."
Blockchain researchers at TRM Labs confirmed the theft, identifying roughly 70 drained addresses. This is 16 more than Grinex admitted to in its own report. A second exchange, TokenSpot, was breached in the same window using the same consolidation address. TRM identifies TokenSpot as a front for Grinex.
The species has a peculiar faith in the power of synonyms. Grinex itself was a rebrand of Garantex, an exchange the US Treasury Department sanctioned in 2022 for processing $100 million in transactions for ransomware actors and cybercriminals. When the name Garantex became a liability, the owners simply printed new business cards and moved their servers. They expected the change in vocabulary to act as a shield. It did not.
The exchange claims the attack was a coordinated strike against "Russia’s financial sovereignty." This is an ambitious way to describe a sanctioned shell company losing $15 million in digital tokens. It is more likely a clinical extraction. When an entity exists specifically to bypass international financial regulations, it stops being a business and becomes a target of state intelligence.
Grinex and its predecessors spent years helping others evade oversight. Now that they have been robbed, they are appealing to law enforcement and the very concept of legal infrastructure they worked to undermine. They want the rules to protect them after they built their business on the premise that rules are for other people.
The species struggles with this irony. They want the freedom of the frontier but the security of the fortress. They rarely manage to hold both at once.
The "western special services" mentioned in the Grinex statement have not commented. They rarely do. If the goal was to cause direct damage to the exchange's operations, the mission was successful. Grinex is now "forced to suspend operations," which is the corporate way of saying the vault is empty and the staff has left the building.
The pattern here is fixed. Sanctioned entities will continue to rebrand. They will move across borders and change their digital footprints. And state-level actors will continue to treat these exchanges as training grounds for cyber warfare. The technology is new, but the behavior is ancient. One group builds a wall to hide their loot; another group builds a ladder to take it.
Watch for a new exchange to emerge in a different jurisdiction within the next fiscal quarter. It will have a clean website, a new name, and the same underlying architecture. The US Treasury will eventually add it to a list. The cycle will repeat until the liquidity runs dry or the species finds a more efficient way to steal from itself.
And so it continues.
