Russia linked crypto exchange Grinex has suspended all operations after losing over $13 million in a major cyberattack it claims may involve foreign intelligence agencies.
Key Takeaways
- Grinex halted trading after a cyberattack drained over $13 million from its wallets.
- The exchange blamed βforeign special servicesβ for the sophisticated breach.
- Blockchain firms like Elliptic and TRM Labs traced funds moving across multiple wallets and chains.
- The incident raises concerns over sanctions evasion networks and crypto security risks.
What Happened?
Grinex confirmed that more than 1 billion rubles in digital assets were stolen in a large scale cyberattack. The exchange immediately suspended trading and reported the incident to law enforcement authorities.
The company described the breach as highly advanced and suggested it may have involved state level actors, though no clear attribution has been confirmed.
Sanctioned Russian-linked crypto exchange Grinex has suspended all operations following a major cyberattack. The platform reportedly lost over $13 million in assets, with on-chain data showing stolen funds being swapped into Ethereum and TRON. pic.twitter.com/DjkKAISGJD
β Steffan (@Steffan0xd) April 17, 2026
Exchange Halts Operations After Major Breach
Grinex, a crypto exchange registered in Kyrgyzstan but closely tied to Russiaβs financial ecosystem, announced a full suspension of trading following the exploit. The platform revealed that funds were removed from at least 54 wallet addresses, indicating a coordinated and widespread breach.
In its official statement, Grinex said:
The exchange also claimed that the attack was part of a broader effort to disrupt Russiaβs financial system and limit crypto activity beyond the region.
Authorities have now received all relevant data, and a criminal investigation is expected to follow.
On Chain Data Shows Rapid Fund Movement
Blockchain analysis from Elliptic and TRM Labs revealed that approximately $15 million in USDT was quickly moved out of Grinex linked wallets.
The stolen funds were:
- Split across multiple addresses.
- Transferred to consolidation wallets.
- Converted into TRX and Ether on the Tron and Ethereum networks.
This conversion likely helped attackers avoid potential freezing of USDT by Tether, a common tactic in crypto exploits.
TRM Labs also identified additional wallet addresses linked to the incident that were not initially disclosed by the exchange. One main wallet reportedly holds nearly 45.9 million TRON tokens, valued at close to $15 million.
Possible Links to Wider Network Activity
The incident may not be isolated. Investigators flagged activity involving TokenSpot, another Kyrgyzstan based exchange with on chain connections to Grinex.
Two wallets linked to TokenSpot transferred small amounts to a wallet associated with the attacker. Around the same time, TokenSpot reported a temporary outage due to technical maintenance.
While no direct link has been confirmed, the timing and transaction patterns have raised questions about a broader impact.
Sanctions Scrutiny and Garantex Connection
Grinex has long been under international scrutiny due to its alleged ties to Garantex, a previously sanctioned Russian crypto exchange. Authorities have accused Garantex of facilitating money laundering and helping bypass financial restrictions.
Analysts believe Grinex may have inherited both liquidity and users from Garantex after its shutdown. The platform has also been linked to the ruble-backed stablecoin A7A5, which has reportedly processed over $100 billion in transactions.
Despite these concerns, Grinex has denied any involvement in illegal activity and stated that it does not support sanctions evasion.
Rising Wave of Crypto Attacks
The Grinex exploit comes during a sharp increase in crypto related security incidents. According to industry data, more than a dozen crypto platforms and DeFi protocols have been targeted in recent weeks, including a major $280 million exploit earlier this month.
This trend highlights ongoing vulnerabilities in the digital asset space, especially for platforms operating in complex regulatory environments.
CoinLawβs Takeaway
In my view, this story goes far beyond just another crypto hack. It shows how crypto platforms are now sitting at the intersection of geopolitics and finance. When an exchange starts blaming foreign intelligence agencies, it signals how serious and complicated the situation has become.
I found the rapid movement and conversion of funds particularly telling. It shows that attackers are getting smarter and faster at avoiding detection. At the same time, the links to sanctioned entities make this case even more sensitive.
In my experience, incidents like this often lead to tighter regulations and more scrutiny, especially for exchanges operating in high risk regions.
