Sanctioned crypto exchange Grinex has suspended operations after a cyberattack stole more than 1 billion rubles ($13–$14 million) from user accounts. The platform, based in Kyrgyzstan but closely linked to Russia, announced the shutdown in a statement on its official Telegram channel on April 16.
Grinex described the incident as a “large-scale cyberattack” that hit its wallets and forced it to freeze all activity. Trading and withdrawals are halted, leaving users unable to access their funds while the company investigates the breach.
Blockchain analytics firm TRM Labs estimates that Grinex and related Kyrgyzstani exchange TokenSpot lost roughly $15 million in total during the operation. On‑chain data shows about 15 million USDT quickly withdrawn from at least 54 wallets and moved across multiple networks, including Ethereum and Tron.
Exchange Blames “Foreign Intelligence”; Analysts See Sanctions Angle
In its public statement, Grinex claimed the attack bore signs of involvement by “special services of unfriendly states.” The exchange said the “digital footprints and nature of the attack” suggested access to resources and technologies available only to foreign intelligence agencies.
Grinex also argued that the goal was to damage Russia’s financial sovereignty and independence. However, it did not provide technical evidence to support these claims, and independent media such as the Kyiv Independent said they could not verify the allegation.
Compliance analysts point to a different context. In August 2025, the U.S. Treasury’s OFAC, the UK, and the EU sanctioned Grinex for facilitating Russian sanctions evasion and identified it as a continuation of the infrastructure behind Garantex, another blacklisted exchange. Before its takedown, Garantex processed over $100 billion in transactions, with about 82% linked to sanctioned entities worldwide.
How the $13M was Stolen
Attackers drained funds from dozens of Grinex hot wallets in a coordinated sweep. TTRM Labs reports that attackers removed about 1 billion rubles’ worth of assets, mostly USDT, from 54 addresses in a short window.
Attackers then moved and traded the stolen stablecoins across chains to make the trail harder to follow. This included exchanges into ETH and TRX. Investigators add that the attackers’ speed and routing patterns indicate they set up their wallet infrastructure in advance, a common feature of coordinated exchange heists.
Grinex has since posted a list of hacked wallet addresses and asked other platforms to freeze or flag any funds linked to them.
READ MORE: Bitcoin Price Prediction as Fear and Greed Index Nears Pivotal Level
