Key Takeaways:
Grinex, a Russian-linked crypto exchange, has suspended all services after a cyberattack drained more than 1 billion rubles from user accounts, with on-chain data suggesting the total loss is approximately $15 million. The exchange claimed the incident was a sophisticated, state-backed attack designed to destabilize Russia’s financial system.
In an official statement on its Telegram channel, Grinex alleged the exploit was conducted by “Western special services,” citing an “unprecedented level of resources and technologies available exclusively to structures of unfriendly states.” The company stated it has provided all technical information to law enforcement and that a criminal investigation is now underway.
On-chain analysis from blockchain security firms shows the stolen funds were converted into approximately 45.9 million TRX, the native token of the Tron blockchain, and consolidated into a single wallet address. The value of the TRX in the wallet is currently estimated at around $15 million.
The incident draws significant scrutiny due to Grinex’s suspected ties to the sanctioned exchange Garantex, which was seized by international law enforcement in March 2025. According to analysis from TRM Labs, Grinex emerged less than two weeks after Garantex was shut down and was promoted by Garantex-linked communities. Investigators noted that the infrastructure, interface, and wallet clusters of the two exchanges were nearly identical, suggesting Grinex was a simple rebranding effort to evade sanctions.
Garantex was a major player in Russian illicit finance, processing an estimated $96 billion in transactions from 2019 until its seizure. It was heavily involved in sanctions evasion and the laundering of funds from ransomware attacks. Blockchain firm Elliptic noted that just before its shutdown, Garantex began moving assets into A7A5, a ruble-linked stablecoin, which was then heavily traded on Grinex. This connection suggests a direct continuation of operations.
Grinex acknowledged in its statement that it had faced “systemic attempts to limit the withdrawal of cryptocurrencies outside the CIS” through sanctions and targeted wallet monitoring. However, the exchange framed the hack as a new level of escalation, describing it as the “direct theft of assets of Russian citizens and companies.”
While Grinex insists it is not shutting down permanently, all trading and withdrawal services remain frozen as the investigation proceeds. The attack highlights the persistent risks associated with exchanges operating in high-risk jurisdictions and the methods used by sanctioned entities to continue their activities.
This article is for informational purposes only and does not constitute investment advice.
