Sanctioned crypto exchange Grinex suspends trading after $14M hack

Sanctioned crypto exchange Grinex halted trading after a suspected state-level cyberattack drained up to $15 million in crypto.

Grinex said Thursday it had suspended operations after losing more than 1 billion Russian rubles, roughly $13.7 million, from 54 wallets in what it described as a highly sophisticated breach. The Kyrgyzstan-registered exchange pointed to signs that the attackers had access to resources typically associated with foreign intelligence agencies.

“Due to the attack, the Grinex exchange has been forced to suspend operations. All available information has been transferred to law enforcement agencies. A criminal complaint has been filed at the location of the infrastructure,” the exchange said.

Details shared by Grinex suggested a coordinated operation rather than a routine exploit. The platform said the digital footprint and execution pointed to “an unprecedented level of resources and technology available only to entities of hostile states.”

The incident adds fresh scrutiny to an exchange already under watch from Western authorities. Grinex has been widely linked to Russia’s sanctioned crypto infrastructure and has been described by blockchain analysts as a continuation of the previously blacklisted Garantex platform.

Earlier findings from Global Ledger indicated that Garantex shifted liquidity and user balances to Grinex following its shutdown in March 2025. On-chain data showed funds moving through one-time-use wallets before landing in Grinex accounts, while some users reported that balances frozen on Garantex later appeared on the new platform. Investigators also pointed to similarities in website design and internal confirmations, suggesting operational overlap between the two entities.

Garantex had been sanctioned by the United States in 2022 for facilitating illicit finance and was later targeted by European Union restrictions. Operations formally ceased in March 2025 after Tether froze nearly $2.5 billion worth of ruble-backed stablecoins tied to the exchange. Authorities in India also arrested co-founder Aleksej Bešciokov shortly after the shutdown.

Multiple platforms may have been exposed

According to TRM Labs, activity tied to the attacker may extend beyond Grinex. The blockchain intelligence firm identified two wallets linked to Kyrgyzstan-based exchange TokenSpot that sent about $5,000 to the same consolidation address used in the Grinex breach.

TokenSpot acknowledged a temporary disruption earlier this week. A notice on its Telegram channel mentioned technical work and a brief outage on April 15, followed by confirmation a day later that full services had resumed.

Further analysis from TRM Labs uncovered at least 16 additional addresses connected to the incident, beyond those disclosed by Grinex. Funds from the attack were funneled into a single address holding around 45.9 million TRON, valued close to $15 million.

Funds routed to avoid freezing risk

Blockchain analytics firm Elliptic has traced roughly $15 million in USDt leaving Grinex-linked accounts and moving across the Tron and Ethereum networks. The firm said the attacker converted the stablecoins into other assets soon after the theft.

“This USDT was then converted to another asset, either TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether,” Elliptic said.

Past incidents show a pattern of exchanges tied to sanctioned jurisdictions becoming targets for politically motivated or financially driven attacks. Iran-based platform Nobitex lost $81 million in June 2025, with a pro-Israel hacker group claiming responsibility.

Attention now turns to whether Grinex can resume operations and how authorities respond, especially given its alleged role in facilitating sanction evasion and links to previously blacklisted entities.