Grinex Cryptocurrency Platform Suspends Operations Following $14M Security Breach
Trading activities have been suspended at Grinex, a sanctioned cryptocurrency platform, following the theft of $14 million in USDT from 54 separate wallets, though blockchain analysis experts suggest actual losses may exceed this figure.
According to statements from Grinex, a cryptocurrency exchange currently under sanctions, trading operations have been halted following a security breach that resulted in losses exceeding 1 billion Russian rubles ($13.7 million), with the platform suggesting the attack shows characteristics consistent with foreign intelligence service involvement.
Operating with a registration in Kyrgyzstan while maintaining connections to Russia's cryptocurrency infrastructure and facing accusations of facilitating sanctions circumvention, the platform announced on Thursday that assets were extracted from 54 separate addresses, with the technical signature and characteristics of the breach suggesting an "unprecedented level of resources and technology available only to entities of hostile states."
Due to the attack, the Grinex exchange has been forced to suspend operations. All available information has been transferred to law enforcement agencies. A criminal complaint has been filed at the location of the infrastructure.
Market observers had long considered Grinex to be the effective replacement for Garantex, another sanctioned exchange. United States authorities have implicated both platforms in facilitating sanctions evasion efforts for Russia and associated entities, as well as enabling fund laundering operations for hacker groups connected to Russia.
Tom Robinson, who founded Elliptic, has pointed to the platform as the dominant venue for A7A5 trading activity, a stablecoin pegged to the Russian ruble that has been connected to sanctions evasion schemes.
When contacted by Cointelegraph during the previous year, a representative from Grinex stated that the platform firmly opposes all forms of illicit conduct, specifically mentioning sanctions evasion activities and money laundering operations.
Another exchange might have been hit by the same attacker
The security breach at Grinex may represent just one component of a broader attack campaign. TRM Labs, a blockchain intelligence firm, reported on Thursday that TokenSpot, another Kyrgyzstan-registered exchange platform that shares on-chain connections with Grinex, had two of its wallets transmit approximately $5,000 to an identical consolidation address utilized by the individual or group responsible for the Grinex attack.
Communications from TokenSpot's official Telegram channel on April 15 informed users of technical maintenance activities and a temporary platform shutdown, with a subsequent update issued the following day confirming that complete operational functionality had been restored.
Additionally, TRM Labs reported discovering 16 supplementary addresses connected to the security incident beyond the addresses that Grinex made available to the public. The central consolidation address serving as the destination for all stolen assets currently holds 45.9 million TRON (TRX), representing a value approaching $15 million.
Hacker might have stolen $15 million in USDT
Analysis conducted by Elliptic, a blockchain analytics company, indicates that approximately $15 million in USDt (USDT) was withdrawn from accounts associated with Grinex. Following the extraction, these digital assets were transferred to wallet addresses operating on either the Tron or Ethereum blockchain networks.
This USDT was then converted to another asset, either TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether.
Elliptic
Exchanges facing accusations of assisting entities in circumventing United States sanctions have been targeted previously. Nobitex, a cryptocurrency exchange based in Iran, experienced an $81 million drainage of funds in June 2025, with a hacker collective expressing support for Israel subsequently taking credit for the attack.