Russia-linked exchanges Grinex and TokenSpot targeted in suspected coordinated hack

At least one more Russia-linked crypto exchange has been hit in the billion-ruble hack of the sanctioned Kyrgyzstan-registered Grinex, blockchain analyses showed.

Reports of the coinciding incidents sparked suspicions that the cyberattacks may have been coordinated and carried out by intelligence services rather than hacking groups.

Kyrgyz crypto exchange TokenSpot also suffers breach

Russia has been allegedly using a number of cryptocurrency platforms incorporated in allied states like Kyrgyzstan to bypass financial restrictions imposed over its war in Ukraine.

The best known among them, the Grinex exchange, was hacked this week, losing well over a billion rubles’ worth of cryptocurrency, almost $15 million to be precise. And it wasn’t alone.

Blockchain forensics firms quickly tracked the stolen crypto, mostly USDT on Tron, which was eventually converted via the decentralized platform SunSwap to Tron tokens (TRX), nearly 46 million of them, and deposited to a single address.

According to a TRM Labs report, another Kyrgyz crypto trading service, TokenSpot, believed to be connected to Grinex, was also affected.

Its analysts found out that a smaller amount of digital money, less than $5,000 in value, was sent to the same consolidation wallet used in the big hack.

On Wednesday, the day Grinex halted trading, TokenSpot took to Telegram to inform users of an ongoing maintenance period, with operations resuming the following day, TRM said Thursday.

While Grinex identified 54 addresses associated with the attack, TRM Labs found another 16, some of which were also used to transfer funds from TokenSpot.

The latter is registered in Kyrgyzstan but serves predominantly Russian customers and supports ruble transactions, the business news outlet RBC reported on Friday.

In a Telegram post, the Russian company SHARD, a provider of anti-money laundering and know your customer services, remarked:

“According to on-chain analysis, it is likely that not only the Grinex exchange, but another service, also located in Moscow City, fell victim to these same attackers.”

The Kyrgyzstan-based Grinex, successor of the Russian exchange Garantex, which was shut down in a U.S.-led effort last year, has an office in the same business center in Russia’s capital.

After registering the hack and suspending all operations, Grinex contacted law enforcement authorities and shared the collected data for further investigation.

The crypto trading venue alleged it had been “subjected to a large-scale cyberattack with indications of involvement by foreign intelligence agencies” and highlighted:

“The digital footprint and nature of the attack indicate an unprecedented level of resources and technology, available only to entities of hostile states.”

“According to preliminary data, the attack was coordinated with the aim of directly harming Russia’s financial sovereignty,” the exchange also said.

Was Grinex hit by regular hackers or Western spies?

Grinex’s assertion has not been supported by official statements so far, but it sparked discussions in the Russian crypto space, with views supporting both scenarios.

SHARD commented that the exchange’s actions seem motivated by a desire to protect funds from being blocked by the issuer.

When its predecessor, Garantex, was taken offline in early 2025, Tether froze $27 million worth of USDT on its platform.

“This indicates an economic rather than political nature of the target, and it is possible that the hack is not connected to foreign intelligence services,” the company elaborated.

AML specialists at CoinKit concluded that since the attackers emptied the exchange’s wallets in about five minutes, the attack was pre-planned and executed automatically.

The analysts said the scheme has been observed in most major exchange hacks in the past couple of years and does not require access to government resources.

“The nature of the transactions does not match the signature of elite hacker groups working for governments,” the BitOK compliance platform agreed.

However, it also noted that Grinex is sanctioned by the U.S., the EU, and the U.K., which turns it into a “legitimate target” for Western intelligence and pointed out:

“There are historical precedents. In 2025, the Iranian exchange Nobitex lost $90 million as a result of an attack by a group linked to Israel.

The Russia-linked cryptocurrency exchange has processed over $93 billion in transactions using the ruble-pegged stablecoin A7A5.

Entities linked to the digital currencies, most notably the Kyrgyzstan-registered firm Old Vector, which is currently issuing it, are also sanctioned by the West.

If you're reading this, you’re already ahead. Stay there with our newsletter.