Grinex, a cryptocurrency exchange based in Kyrgyzstan and previously sanctioned by both the United Kingdom and the United States, has announced the suspension of its operations following a significant cyberattack resulting in the theft of approximately $13.74 million. The exchange attributes this breach to Western intelligence agencies, suggesting a deliberate attempt to undermine Russia’s financial stability.
The cyberattack, which led to the loss of over 1 billion rubles in user funds, was characterized by Grinex as exceptionally sophisticated, indicating the involvement of state-level resources. In a statement on its website, the company asserted that the attack’s complexity and the digital forensic evidence point to capabilities typically exclusive to hostile state agencies. Grinex further suggested that the attack was orchestrated with the specific aim of damaging Russia’s financial sovereignty.
A company spokesperson highlighted that Grinex’s infrastructure has been under continuous attack since its inception. However, this recent incident represents a significant escalation, seemingly targeting the destabilization of the domestic financial sector.
Background and Sanctions
Grinex is widely believed to be a rebranded version of Garantex, a cryptocurrency exchange sanctioned by the U.S. Treasury Department in April 2022 for laundering funds associated with ransomware groups and darknet markets, including Conti and Hydra. In August 2025, the Treasury renewed sanctions against Garantex, citing its processing of over $100 million in illicit transactions and facilitation of money laundering activities.
In response to these sanctions, Garantex reportedly transitioned its customer base to Grinex and continued operations using a ruble-backed stablecoin known as A7A5. This maneuver was seen as an attempt to circumvent the imposed restrictions and maintain its presence in the cryptocurrency market.
Details of the Cyberattack
The theft occurred on April 15, 2026, around 12:00 UTC. Blockchain analytics firm Elliptic reported that the stolen funds were transferred to accounts on the TRON and Ethereum blockchains. The perpetrators then converted the stolen USDT (Tether) into other cryptocurrencies, such as TRX (Tron) or ETH (Ethereum), to evade potential asset freezing by Tether.
TRM Labs identified approximately 70 addresses linked to the incident and noted that TokenSpot, another Kyrgyzstan-based exchange potentially operating as a front for Grinex, was also affected. On the same day as the Grinex breach, TokenSpot announced a temporary service outage due to technical maintenance, resuming full operations the following day. The attacker is estimated to have stolen less than $5,000 from TokenSpot, with the funds routed through addresses associated with Grinex-linked wallets.
Implications and Analysis
Chainalysis, in its analysis of the incident, observed that the rapid conversion of stablecoins into more decentralized tokens is a common tactic among cybercriminals to launder illicit proceeds before assets can be frozen. Given Grinex’s heavily sanctioned status and its use of obfuscation techniques previously employed by Garantex, there is speculation about the true nature of the attack. Some analysts suggest the possibility of a false flag operation, while others consider it a genuine exploit by cybercriminals. Regardless, the disruption of Grinex represents a significant blow to the infrastructure supporting Russian sanctions evasion.
Conclusion
The suspension of Grinex’s operations following this substantial cyberattack underscores the vulnerabilities inherent in cryptocurrency exchanges, especially those operating under sanctions. The incident highlights the ongoing challenges in securing digital assets and the complex interplay between cybercrime and international geopolitical tensions.
