Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, announced it is suspending operations after suffering a major Grinex hack that resulted in the theft of $13.74 million (over 1 billion rubles) in user funds.
In a strongly worded statement, the exchange blamed the attack on Western intelligence agencies, describing it as a “large-scale cyber attack” with “unprecedented levels of resources and technological sophistication.” Grinex claimed the operation was specifically designed to damage Russia’s financial sovereignty.
The company further stated that its infrastructure had been under continuous attack since it began operations, and that the latest incident represented a new level of escalation.
Background and Sanctions History
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
Garantex, a cryptocurrency exchange sanctioned by the U.S. Treasury in April 2022 for money laundering tied to ransomware groups like Conti and Hydra, is thought to be rebranded as Grinex. After processing more than $100 million in illicit transactions, the sanctions against Garantex were renewed in August 2025.
According to blockchain analytics firms Elliptic and TRM Labs, Garantex/Grinex is believed to have continued operations by using a ruble-pegged stablecoin called A7A5. Moreover, Elliptic previously disclosed Grinex performed over $72 million of direct exchange activity with Rapira, located in Georgia, with another office in Moscow.
Grinex Hack Details
Three separate blockchain intelligence companies independently reported the Grinex Hack.
1. The Grinex Hack took place on Friday April 15, 2026 at approximately 12:00 until approximately 12:00 UTC time when the attack occurred.
2. Immediately after the theft (which consisted largely of USDT), the attackers transferred the stolen assets to other TRON blockchains and Ethereum blockchains.
3. The hackers moved their assets from stable coins into non-freezable assets (like TRX or ETH) to safeguard themselves in case Tether tried to freeze their funds.
4. About 70 unique addresses are associated with this incident thus far.
5. A related Kyrgyzstan-based exchange, TokenSpot, was also impacted on the same day, losing less than $5,000. It temporarily went offline citing “technical maintenance.”
Chainalysis noted that the rapid swapping from stablecoins to more decentralized tokens is a common laundering tactic used by bad actors to avoid asset freezes.
Questions and Speculation
Some analysts, Chainanalysis included, have suggested that the Grinex hack may have been a false flag created by Russian-insider connections due to the high level of sanctions against Grinex and its tightly controlled ecosystem. Yet, no definitive evidence has been publicly provided to either support or refute any of these claims.
No matter who committed this act of disruption to Grinex, it will significantly harm those who provide support to Russian sanctions violations.
What This Means
This incident shows the continuing struggle between sanctioned organizations and global regulators in the cryptocurrency industry. Even organizations subject to severe sanctions are still managing to find ways to make illicit transactions, such as through the use of illicit exchanges or other financial institutions, until they become a target themselves.
To the larger crypto ecosystem, it is a reminder that any high-risk exchange (or a low-risk exchange that is under investigation) is likely to have hidden operational and security issues for its users.
Be Safe! Whenever you do business with a cryptocurrency exchange (especially in a jurisdiction that is subject to sanctions or other high-risk areas), make sure you do your research and take into account any unexpected service interruptions or security failures.
FAQ Section
Q1: How did Grinex get hacked?
According to Grinex $13.74m was lost due to the West intelligence Community's being behind this cybercrime.
Q2: Is Grinex related to Garantex?
There are some people who believe that Garantex is also an alias for the sanctioned exchange Grinex.
Q3: Was TokenSpot affected by this cybercrime?
TokenSpot suffered from this cybercrime and approximately $5000 in loss.
Q4: Is there any evidence to suggest that this was a staged hack?
There are analysts that suggest this might have been staged as the exchange is considered to be sanctioned but no conclusive evidence has been found
Q5: What should crypto investors consider in light of the Grinex hack?
Crypto users have to consider that using high-risk or sanctioned exchanges is dangerous and that they need to know exactly what kind of security measures are used to protect their money before they send it to any platform.
