20.04.2026
2 min
208
Sanctioned crypto exchange Grinex has shut down after a large-scale cyberattack that resulted in the theft of over $13.74 million in cryptocurrency. The company claims the possible involvement of foreign intelligence services.
Cryptocurrency exchange Grinex (based in Kyrgyzstan) has shut down operations after being the victim of a massive cyberattack. The exchange stated that approximately $ 13.74 million were lost in the theft; they attributed the loss directly to “Western” intelligence services. Grinex claimed the cyberattack seemed like a well-planned operation involving some state involvement, and more than 1 billion rubles were stolen from users.
“Digital forensic evidence and the characteristics of the attack point toward an unprecedented resource investment and technological sophistication typically available to government agencies,” Grinex explained. Additionally, Grinex stated preliminary investigations indicated an effort to damage Russia’s sovereign financial independence.
The exchange further emphasized that there had previously been many attempts to breach its systems and infrastructure since its founding, but this most recent instance represented a “new level” of escalation. According to Grinex, this action is viewed as a part of larger efforts to destabilize the Russian domestic financial sector.
Grinex is considered to be the successor of the Garantex exchange which was sanctioned by the U.S. Treasury Department in April 2022 for alleged money laundering activities tied to ransomware groups and darknet marketplaces (Conti and Hydra). In August 2025, sanctions against Garantex were extended when officials discovered that Garantex processed over $100 million in illicit transactions.
Following the imposition of these sanctions, analysts claim that the majority of Garantex’s customer base was successfully migrated to Grinex. Grinex then began operating using the ruble stablecoin A7A5. Elliptic’s analysis of related exchanges show no indication that they have halted their own operations. For example, Rapira (registered in Georgia but having offices in Moscow) has completed transactions totaling over $72 million with Grinex. This suggests that Russian connected crypto services are finding ways to evade sanctions.
Analysts claim that the initial attack on Grinex occurred on April 15, 2026 at approximately noon UTC. The funds stolen from Grinex were rapidly moved across both the TRON and Ethereum blockchain networks. Simultaneously, USDT was converted into different assets (such as TRX or ETH), in order to prevent possible freezes.
TRM Labs identified roughly 70 addresses associated with the incident. TokenSpot (an exchange estimated to be related to Grinex) was also impacted contemporaneously with Grinex. TokenSpot reported technical difficulties and temporarily suspended access to their service on the date of the attack. The following day, they issued a statement announcing their ability to resume normal service.
Preliminary estimates suggest only slightly less than $ 5 thousand were taken from TokenSpot. Funds removed from TokenSpot flowed through two separate addresses on the platform and were ultimately merged with the primary stream of transactions connected to Grinex.
In regard to behavior exhibited by attackers Chainalysis analysts note that they rapidly exchanged stable coins for non-freezable assets. This type of behavior allows attackers to maximize difficulty in tracing stolen funds and retain full control over them.
Despite this Chainalysis does not rule out another explanation of events. Due to the sanctioned status of Grinex and its limited ecosystem, it is possible that the event was a “foreign flag” operation.
