Grinex, a crypto exchange registered in Kyrgyzstan but linked to Russia’s crypto ecosystem and previously sanctioned by some observers, announced it has suspended trading after an attack that drained more than 1 billion Russian rubles (about $13.7 million). The exchange said funds were taken from 54 addresses and that the digital footprint and sophistication of the operation point to resources and technology consistent with state-level actors.
“Due to the attack, the Grinex exchange has been forced to suspend operations. All available information has been transferred to law enforcement agencies. A criminal complaint has been filed at the location of the infrastructure,” the company said.
Grinex has been widely viewed as the successor to the sanctioned Garantex exchange. U.S. authorities and blockchain investigators have previously accused those platforms of facilitating sanctions evasion and laundering funds for Russia-linked hackers. Elliptic founder Tom Robinson has identified Grinex as a primary venue for trading A7A5, a ruble-backed stablecoin alleged to have been used in sanction-avoidance schemes. Grinex has publicly stated it condemns illegal activity, including sanctions evasion and money laundering.
Blockchain intelligence firms have been tracing the theft. TRM Labs reported that two wallets from TokenSpot, a Kyrgyzstan-based exchange with on-chain links to Grinex, sent about $5,000 to the same consolidation address used by the attacker. TokenSpot said it performed technical work and experienced a brief outage on April 15, resuming full operations the following day. TRM also identified 16 additional addresses tied to the incident beyond those disclosed by Grinex. The consolidation address currently holds 45.9 million TRON (TRX), valued at nearly $15 million.
Elliptic tracked roughly $15 million in USDT moving out of Grinex accounts. According to the firm, those funds were routed through Tron and Ethereum chains and converted into TRX or ETH—likely to reduce the risk that the stolen USDT could be frozen by Tether.
This episode follows a pattern of attacks on exchanges that have been accused of aiding sanctions evasion. In June 2025, Iran-based Nobitex was hit for about $81 million, with a pro-Israel hacker group claiming responsibility.
Grinex says it has provided all relevant information to law enforcement and filed a criminal complaint around its infrastructure. Investigations by on-chain analysts and authorities are ongoing.
Cointelegraph is committed to independent, transparent journalism. This report was produced in accordance with Cointelegraph’s Editorial Policy; readers are encouraged to verify information independently.