Grinex Halts Trading After $14M Hack

Grinex, the sanctioned crypto exchange long suspected of serving as Russia's back-channel for dollar-denominated trades, shut down operations Thursday after losing more than $13.7 million to a hack it publicly blamed on a foreign government. The exchange said funds were pulled from 54 addresses and that whoever did it had access to tools that only a hostile nation-state could deploy. That's quite a claim — especially from a platform that US authorities have accused of doing Russia's financial dirty work.

Grinex Blames State Actors — But the Timeline Is Damning

The attack hit Grinex sometime before Thursday, April 17, when the exchange posted a public statement saying it had been forced to suspend all trading. The losses — over 1 billion Russian rubles, which converts to roughly $13.7 million — came from 54 separate wallet addresses getting drained in what Grinex called an operation demonstrating an 'unprecedented level of resources and technology available only to entities of hostile states.'

That framing deserves some scrutiny. Grinex is registered in Kyrgyzstan but has been deeply embedded in Russia's crypto ecosystem. US authorities have accused it of facilitating sanctions evasion and laundering money on behalf of Russia-linked hackers. Calling the attack state-sponsored is the kind of language designed to win domestic sympathy — not to help blockchain investigators trace the funds.

A criminal complaint was filed with law enforcement at the location of Grinex's infrastructure, the exchange said. All digital evidence was also handed over to authorities. Whether that leads anywhere is another question entirely.

Due to the attack, the Grinex exchange has been forced to suspend operations. All available information has been transferred to law enforcement agencies. A criminal complaint has been filed at the location of the infrastructure.

The Garantex Connection — Russia's Revolving Door of Sanctioned Exchanges

Garantex was sanctioned by the US Treasury in 2022 for its role in processing transactions tied to ransomware groups and darknet markets. It was eventually shut down by coordinated law enforcement action. And then — almost immediately — Grinex appeared, operating in its place and serving much of the same client base.

Elliptic founder Tom Robinson had gone on record accusing Grinex of being the primary trading platform for A7A5, a ruble-backed stablecoin described by analysts as a tool for sidestepping sanctions infrastructure. For its part, Grinex insisted last year that it 'strongly condemns any form of illegal activity, including sanctions evasion and money laundering.' Right.

What the Garantex-to-Grinex pattern actually shows is something the crypto industry doesn't like to talk about: sanctioned exchanges don't really die. They rebrand. They pop up under new names, in new jurisdictions, with the same operators and the same networks. The question after this hack isn't whether Grinex survives — it's what comes next.

How Was the $15M Moved — and Why TRX?

Here's where the blockchain analytics gets interesting. Elliptic tracked roughly $15 million in USDT leaving Grinex accounts after the hack — a figure slightly higher than Grinex's own $13.7 million estimate. The stolen stablecoins were then moved onto the Tron or Ethereum blockchains and quickly converted into either TRON (TRX) or ETH.

That conversion wasn't random. Tether has the power to freeze USDT held at specific addresses — it's done it before at law enforcement request. By swapping stolen USDT for TRX or ETH, whoever took the funds removed that risk entirely. The consolidation address identified by TRM Labs held 45.9 million TRX, worth close to $15 million at the time of writing.

TRM Labs also flagged that Grinex may not have been the only target. Two wallets belonging to TokenSpot — a Kyrgyzstan-based exchange with documented on-chain links to Grinex — sent approximately $5,000 to the same consolidation address used by the Grinex attacker. TokenSpot's Telegram channel announced brief technical work and a platform outage on April 15, followed by an all-clear the following day. TRM Labs has identified 16 additional addresses connected to the incident beyond those Grinex disclosed publicly.

This USDT was then converted to another asset, either TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether.

Is This Part of a Broader Pattern of Targeting Sanctions-Evading Exchanges?

This isn't unprecedented. Back in June 2025, Iran-based exchange Nobitex had $81 million drained from its wallets, with a pro-Israel hacker group claiming credit. Like Grinex, Nobitex had been accused of helping sanctioned entities move money — and like Grinex, it was targeted in what appeared to be a politically motivated attack rather than a standard financially motivated heist.

The pattern suggests something uncomfortable for the narrative that crypto is politically neutral infrastructure. When exchanges operate in the gray zone — deliberately positioned to serve sanctioned states or actors — they become geopolitical targets as much as financial ones. The funds don't move back to victims. They move deeper into obfuscation layers, convert into assets Tether can't touch, and disappear into wallets that investigators will spend months unraveling.

Grinex blamed foreign intelligence. TokenSpot called it a technical outage. Neither characterization captures what's actually happening: the underground financial infrastructure that some governments depend on is proving far more brittle than anyone expected — and someone, somewhere, seems very interested in demonstrating that.