On April 16, 2026, Grinex—a Kyrgyzstan-registered cryptocurrency exchange heavily tied to Russia’s domestic crypto-ruble ecosystem—suddenly halted all trading, deposits, and withdrawals after suffering a major security breach.
The exchange described the sophisticated cyberattack as state-sponsored, claiming to be carried out by “Western intelligence agencies,” that drained more than one billion rubles, roughly $13 to $15 million, from user funds.
In the statement posted on its website and Telegram channel, the exchange accused “foreign special services” of unfriendly states of orchestrating the breach, stating that the digital footprints pointed to resources and technology available only to state-level actors.
Grinex framed the incident as a direct assault on Russia’s financial sovereignty, coming amid ongoing geopolitical tensions. The exchange claims that this is a “direct theft of assets from Russian citizens and companies using complex cyberattacks.”
“The nature of the attack indicates an unprecedented level of resources… aimed at directly harming Russia’s financial sovereignty,” the exchange said. It has suspended operations indefinitely and handed over details to Russian law enforcement.
No independent evidence has surfaced to support the claim of state involvement, and Western governments have not commented.
“From the very beginning, the exchange’s infrastructure has been subject to attacks,” a spokesperson from Grinex said. “We have documented systematic attempts to restrict the transfer of cryptocurrency outside the CIS: the exchange was placed on sanctions lists, crypto wallets were deliberately targeted, and transactions were blocked.”
The Hack: What Was Taken and Where It Went
In its statement, Grinex published a list of roughly 54 drained wallets, mostly holding TRC-20 USDT on the Tron blockchain, along with a handful of Ethereum addresses.
The largest single drains included wallets losing hundreds of thousands of dollars each. The exchange reported the total theft at about 13.74 million USDT, though blockchain analytics firm TRM Labs tracked flows closer to $15 million.
As of publishing, all the stolen USDT balance was swapped through various services and consolidated into TRX (Tron blockchain’s native token). The bulk ended up in a single identifiable wallet: TH9k…neKVa, which holds around 45.9 million TRX—equivalent to roughly $15 million at prevailing prices.
The address remains publicly viewable on Tronscan, and the funds appear to have been laundered through rapid conversions to obscure the trail.
TRM Labs noted that a related Kyrgyzstan-based platform, TokenSpot, with deep on-chain connections to Grinex, also appears to have been hit in the same operation.
Users with balances on the platform now face an uncertain wait. Grinex has promised to cooperate with authorities, but in the opaque world of sanctioned crypto exchanges, full recovery is far from guaranteed.
Claims of a state-backed attack in the shadow of war
Grinex’s accusation carries a familiar ring in the context of Russia’s war with Ukraine, now entering its fifth year. The exchange portrayed the hack as part of a broader campaign by “hostile states” to undermine Russia’s ability to conduct business outside the traditional SWIFT system and Western-controlled finance.
“From the very beginning, the exchange’s infrastructure has been subject to attacks,” Grinex spokesperson said, citing prior sanctions listings, blocked wallets, and restrictions on moving crypto outside the CIS—a loose regional alliance of 9 post-Soviet countries, including Russia, Belarus, Kazakhstan, Kyrgyzstan, and others.
This narrative fits neatly into Moscow’s longstanding claims that Western powers use sanctions and covert operations to wage economic war against Russia.
While state actors certainly possess advanced cyber capabilities, exchange hacks are also common among sophisticated criminal groups looking to cash out quickly. No public forensic evidence has yet linked the attack to any specific intelligence agency, Western or otherwise. Even Reuters and other outlets noted they could not independently verify the claim.
The timing, however, is notable. Grinex positioned itself as a vital lifeline for Russian firms navigating sanctions imposed since the full-scale invasion of Ukraine in 2022. By facilitating P2P trades, USDT settlements, and even a ruble-pegged token called A7A5, it helped keep some cross-border and domestic flows alive when traditional banking channels tightened.
From Garantex to Grinex: A history of sanctions evasion
Grinex didn’t emerge in a vacuum. It is widely viewed by Western authorities and blockchain intelligence firms as the direct successor to Garantex, a Moscow-based exchange sanctioned by the U.S. Treasury’s OFAC in 2022 for processing over $100 million in ransomware payments and other illicit funds.
During its runtime, Garantex became a go-to platform for cybercriminals, including groups linked to Conti, LockBit, and others.
In March 2025, U.S., German, and Finnish authorities disrupted Garantex in a coordinated operation, seizing its domain and freezing millions in crypto. Indictments followed against key figures. Almost immediately, user funds and liquidity shifted to Grinex, which replicated much of Garantex’s interface and even helped “recover” balances via the A7A5 stablecoin.
The U.S. Treasury sanctioned Grinex itself in August 2025, along with several associated companies and executives, explicitly calling it a sanctions-evasion vehicle created by Garantex insiders. Despite the designations, the platform continued operating, serving Russian-speaking users and businesses seeking alternatives to frozen banking channels.
Its business model focused on low fees, fast ruble-crypto conversions, and regional offices inside Russia—all while emphasizing its purported licensing under CIS rules. Critics, however, saw it as another chapter in a persistent cat-and-mouse game: when one door closes, another opens under a slightly different name.
What Happens Next?
For now, the site displays a maintenance notice detailing the hack and listing the stolen wallets. Trading remains frozen. Russian authorities have reportedly opened a criminal case, but the cross-border nature of crypto—combined with international sanctions—complicates any recovery effort.
Blockchain watchers continue to monitor the consolidation wallet. If the funds move again or get tumbled through mixers, tracing will grow even harder.
The incident underscores the double-edged sword of crypto in sanctioned economies: a tool for resilience that also attracts both criminals and sophisticated adversaries. Whether this was a criminal heist, a state operation, or something in between may never be fully known outside classified circles.
What is clear is that users who parked funds on Grinex—drawn by promises of easy ruble-crypto access in a restricted financial environment—are once again reminded of an old truth in this space: not your keys, not your coins. Especially when the platform itself sits at the volatile intersection of geopolitics, sanctions, and high-stakes cyber warfare.
Also read: Circle Faces Lawsuit Over Inefficient Response to $280M Exploit
