Kyrgyz-based crypto exchange Greenex, which was sanctioned by the UK and US last year, blamed Western intelligence agencies for a $13.74 million hack and announced it would cease operations.
The exchange announced that it had suffered a large-scale cyber attack indicating the involvement of foreign intelligence agencies. The attack resulted in the theft of more than 1 billion rubles of user funds.
“The digital forensic evidence and the nature of the attack demonstrate an unprecedented level of resource and technological sophistication, capabilities typically available only to adversarial government agencies,” the company said in a statement on its website. “Preliminary findings suggest that this attack was tailored to the specific goal of directly damaging Russia’s financial sovereignty.”
The company spokesperson went on to say that the exchange’s infrastructure has been under attack since the beginning of its operations, and this incident marks a new level of escalation aimed at destabilizing the domestic financial sector.
Grinex is believed to be a rebrand of Garantex, a cryptocurrency exchange that was sanctioned by the US Treasury in April 2022 for money laundering related to ransomware and darknet markets such as Conti and Hydra. In August 2025, the Treasury Department renewed sanctions against Garantex for processing more than $100 million in illegal transactions and enabling money laundering.
Galantex is said to have moved its customer base to Greenex in response to the sanctions and continued to operate using a ruble-backed stablecoin called A7A5, according to details shared by the Treasury Department and blockchain intelligence firms Elliptic and TRM Labs.
In a report published in early February this year, Elliptic also revealed that Lapira, a Georgian corporate exchange with offices in Moscow, had conducted direct crypto transactions with Greenex totaling more than $72 million, highlighting how the Russian-linked exchange continues to enable sanctions evasion.
The British blockchain analysis firm said the theft of Greenex assets occurred at around 12:00 UTC on April 15, 2026, and the stolen funds were then transferred to another account on the TRON or Ethereum blockchains. “This USDT was then converted into another asset, either TRX or ETH. In doing so, the thieves avoided the risk of the stolen USDT being frozen by Tether,” it added.
TRM Labs identified approximately 70 addresses related to the incident and noted that TokenSpot, a Kyrgyzstan-based exchange likely operating as a front for Greenex, was also affected at the same time.
On the same day that Grinex was breached, TokenSpot posted on its Telegram channel that the platform would be temporarily unavailable due to technical maintenance. The company announced that it had resumed full operations on April 16th. It is estimated that the attackers stole less than $5,000 from TokenSpot. The funds were routed through two TokenSpot addresses to the same integration address used in the Grinex-linked wallet.
Chainalysis said in its own case breakdown that stablecoin funds were quickly exchanged for unfreezable tokens and that this “crazy swap” from stablecoins to more decentralized tokens was a tactic employed by bad actors to launder illicit proceeds before the assets were frozen.
“Given the exchange’s heavily sanctioned status, restricted ecosystem, and on-chain use of obfuscation techniques recommended by Garantex, it is worth considering whether this incident could be a false flag attack,” the paper said. “Whether this event was a legitimate exploit by cybercriminals or a coordinated false flag operation by Russian-linked insiders, the Greenex disruption is a significant blow to the infrastructure that supports Russia’s sanctions evasion.”
Source link
