The crypto exchange Grinex, which is under sanctions, halted trading after an attack that resulted in the theft of more than 1 billion rubles, or about $13.7 million. The company stated that foreign intelligence agencies may be behind the hack.
The exchange is registered in Kyrgyzstan, but it is linked to the Russian crypto ecosystem and possible sanctions evasion. According to the team, the funds were withdrawn from 54 addresses.
Grinex emphasized that the nature of the attack and the digital traces point to an “unprecedented level of resources and technology” usually possessed only by state actors.
“Due to the attack, Grinex was forced to cease operations. All available information has been handed over to law enforcement agencies. A criminal complaint has been filed at the location of the infrastructure,” representatives of the platform said.
Grinex is often called the successor to the Garantex exchange, which was also under sanctions. According to US authorities, both platforms could have been used to circumvent restrictions and launder funds, including those linked to Russian hackers.
Elliptic founder Tom Robinson previously stated that Grinex became the main platform for trading the stablecoin A7A5, which is pegged to the ruble and associated with sanctions evasion.
At the same time, the company itself previously denied such accusations. Representatives of Grinex said they condemn any illegal actions, including sanctions evasion and money laundering.
It May Not Be Just Grinex Affected by the Attack
According to analytics company TRM Labs, other transactions are linked to the same address where the funds were sent after the hack. This concerns the TokenSpot exchange, registered in Kyrgyzstan and connected to Grinex at the on-chain data level.
Two TokenSpot wallets sent about $5,000 to the same address used by the attacker.
See Also: Nasdaq and S&P 500 Hit New Highs, Bitcoin Approaches $76,000
Interestingly, on April 15, TokenSpot announced technical work and temporary platform downtime. The very next day, the exchange announced full restoration of operations.
TRM Labs also discovered 16 more addresses linked to the incident, in addition to those previously disclosed by Grinex.
The main address to which the funds were transferred now holds 45.9 million TRX. That is almost $15 million at the current rate.
Hacker Withdrew $15 Million and Tried to Cover Tracks via TRX and ETH
According to Elliptic estimates, the attacker may have withdrawn about $15 million in USDT from Grinex accounts.
The funds were then moved to other networks. Some went to the Tron and Ethereum blockchains.
To make tracking more difficult, the stolen USDT was quickly converted into other assets.
“After that, the USDT was exchanged for TRX or ETH. This allowed the attacker to reduce the risk of the funds being frozen by Tether,” Elliptic noted.
This is not the first time exchanges linked to sanctions evasion have come under attack.
In June 2025, the Iranian platform Nobitex lost $81 million in an attack. Responsibility was claimed by a pro-Israeli hacker group.
Attacks Are Getting More Sophisticated, and Chances of Recovery Are Lower
The situation with Grinex once again showed a simple truth — centralized exchanges remain vulnerable, especially if they operate in the gray zone. In such cases, risks stack up: hackers put on pressure, and regulators don’t let up.
At the same time, the attacks themselves are no longer what they used to be. Everything looks much more thought out. It’s not a random bug or mistake, but a well-prepared operation with resources.
It is particularly striking how quickly the money is moved. In this case, the funds started moving across networks almost immediately. They are split up, transferred between blockchains, and assets are swapped. Tracking becomes noticeably more difficult.
See Also: WLFI Faces Wave of Criticism Over New Token Unlocking Scheme
Exchanges have almost no time to react. While someone is figuring out what happened, the money has already passed through several chains and is lost along the way.
As a result, such stories rarely end with the return of funds. More often, it comes down to attempts to cover the hole with reserves or user funds. And this is another blow to trust in such platforms.
