Damaging “Russia’s financial sovereignty”
“The digital footprints and nature of the attack indicate an unprecedented level of resources and technology available exclusively to the structures of unfriendly states,” Grinex said. “According to preliminary data, the attack was coordinated with the aim of causing direct damage to Russia’s financial sovereignty.”
“Due to the attack, the Grinex exchange is forced to suspend operations,” Grinex continued. “All available information has been transferred to law enforcement agencies. An application has been submitted to the location of the infrastructure to initiate a criminal case.”
TRM said that TokenSpot, a second Kyrgyzstan-based exchange, was also breached. Two of the exchange’s addresses sent funds to the same consolidation address used by the affected Grinex-linked wallets. What’s more, both exchanges became inoperable on Wednesday, suggesting they were hit by the same attacker.
Ars Video
How Scientists Respond to Science Deniers
TRM said TokenSpot was a front for Grinex, which the US Treasury Department sanctioned last year. The department’s Office of Foreign Assets Control said that Grinex, in turn, was a rebrand of Garantex, an exchange it had sanctioned in 2022. The department said then that Garantex had “directly facilitated notorious ransomware actors and other cybercriminals by processing over $100 million in transactions linked to illicit activities since 2019.” Last year’s sanctions against Grinex came a few months after TRM said that the exchange was likely a front for Garantex.
TRM said Thursday that it couldn’t confirm Grinex’s claim that Western special services were behind the heist. TRM also said that the theft didn’t appear to be performed by insiders in an attempt to liquidate assets before abandoning the exchange.
“Based on the relatively low total value drained, the indiscriminate targeting of both large and small wallets across multiple platforms including TokenSpot—which has since resumed operations after claiming a technical issue—TRM assesses this incident was more likely an external cyber operation rather than an exit scam.”
Elliptic said that Grinex has “strong ties to Russia and is one of the largest exchanges for exchanging Russian rubles for cryptoassets.” To date, it has processed transactions totaling more than $6 billion.
“It is likely that Grinex has common ownership and management with Garantex and was established as a response to the sanctions imposed on Garantex,” Elliptic said. “Following the shutdown of Garantex, much of its liquidity and clients migrated to Grinex.”
The drained Grinex accounts, Elliptic said, had outgoing transactions totaling about $15 million in USDT, an ethereum-based stablecoin its backers say is pegged to the value of the US dollar. The funds were then sent to further accounts on the TRON or ethereum blockchains. The USDT was then converted to either the TRX or ETH currencies. That conversation allowed the attackers to avoid the risk of the stolen assets being frozen by Tether, the company that issues the USDT stablecoin. Senior Security Editor
Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and on Bluesky. Contact him on Signal at DanArs.82.
