Sanctioned crypto exchange Grinex said it has halted trading after losing more than 1 billion Russian rubles (about $13.7 million) in an attack that shows signs of involvement by foreign intelligence agencies.
The Kyrgyzstan-registered platform—long linked to Russia’s crypto ecosystem and alleged sanctions evasion—said the funds were drained from 54 addresses. It added that the attack’s digital footprint pointed to an “unprecedented level of resources and technology available only to entities of hostile states.”
“Due to the attack, the Grinex exchange has been forced to suspend operations. All available information has been transferred to law enforcement agencies, and a criminal complaint has been filed at the location of the infrastructure,” the exchange said.
Grinex has been widely viewed as a successor to the sanctioned Garantex exchange, with both accused by U.S. authorities of facilitating sanctions evasion and laundering funds for Russia-linked actors.
Elliptic founder Tom Robinson has also alleged that Grinex serves as the primary platform for trading A7A5, a ruble-backed stablecoin associated with sanctions evasion. A spokesperson for the exchange previously told that it condemns all forms of illegal activity, including money laundering.
Separately, blockchain intelligence firm TRM Labs suggested the same attacker may have targeted another platform. It reported that two wallets tied to TokenSpot—a Kyrgyzstan-based exchange with on-chain links to Grinex—sent about $5,000 to the same consolidation address used in the Grinex hack.
TokenSpot had announced technical maintenance and a brief outage on April 15, before stating the following day that full operations had resumed.
TRM Labs said it has identified 16 additional addresses tied to the incident beyond those disclosed by Grinex. The consolidation address receiving the stolen funds now holds 45.9 million TRON (TRX), valued at nearly $15 million.
Hacker may have stolen $15M in USDT
Blockchain analytics firm Elliptic reported that roughly $15 million in USDt (USDT) was drained from Grinex accounts and transferred across the Tron and Ethereum blockchains.
“This USDT was then converted into other assets, such as TRX or ETH. By doing so, the attacker reduced the risk of the stolen funds being frozen by Tether,” the firm said.
This is not the first attack on exchanges accused of facilitating sanctions evasion. In June 2025, Iran-based exchange Nobitex lost $81 million in a hack claimed by a pro-Israel hacker group.
