Grinex Suspends Operations After $13 Million to $15 Million Crypto Heist

Kyrgyzstan-registered crypto exchange Grinex suspended operations after a major cyberattack that drained user funds, with the company and multiple blockchain researchers putting the theft in the $13 million to $15 million range.

“Grinex, a US-sanctioned cryptocurrency exchange registered in Kyrgyzstan, said it’s halting operations after experiencing a $13 million heist carried out by “western special services” hackers”

Ars Technica

Ars Technica reported that Grinex said it was halting operations after experiencing a “$13 million heist” and that TRM confirmed the theft, putting the value of stolen assets at “$15 million” after discovering “roughly 70 drained addresses.”

Ars Technica

Security Affairs described the shutdown as following a “$13.7M cyber heist,” and FXLeaders said Grinex was forced to pull the plug on “all trading” after losing “$13.7-14 million.”

Grinex said it had been under “almost constant attack attempts since incorporating 16 months ago,” and Ars Technica added that the latest attacks targeted “Russian users of the exchange.”

The exchange’s statement also framed the incident as an assault on Russia’s financial sovereignty, saying the “digital footprints and nature of the attack indicate an unprecedented level of resources and technology available exclusively to the structures of unfriendly states.”

Grinex further said it was “forced to suspend operations” and that “All available information has been transferred to law enforcement agencies,” with “An application … submitted to the location of the infrastructure to initiate a criminal case.”

Across the reporting, the heist is described as draining large amounts from wallets, then moving the stolen stablecoin quickly across networks.

Ars Technica said TRM discovered “roughly 70 drained addresses” and that the theft involved “about 16 more than Grinex reported,” while Elliptic and TRM did not say how attackers slipped past Grinex’s defenses.

FXLeaders

Security Affairs added that Grinex reported hackers stole “over 1 billion rubles ($13.1 million) from Russian users’ crypto wallets,” and it described Grinex as a “crypto-ruble exchange serving Russian-speaking users.”

Elliptic’s analysis, as quoted by Security Affairs, said hackers moved “about $15 million in USDT to other wallets, then quickly converted it into TRX or ETH,” and it specified that “These accounts have outgoing transactions totaling approximately $15 million in USDT, at around 12:00 UTC on Wednesday.”

Security Affairs also said the USDT was converted “either TRX or ETH” to avoid “the risk of the stolen USDT being frozen by Tether,” and Ars Technica similarly noted that “both exchanges became inoperable on Wednesday, suggesting they were hit by the same attacker.”

FXLeaders described the breach as involving theft from “54 wallets” and said “one billion Russian rubles” were taken, while Silicon UK reported that Grinex said “more than 1 billion rubles (£9.7m) of user funds were stolen.”

PortalCripto likewise said the intrusion led to “losses exceeding 1 billion rubles, equal to about $13 million,” and it described assets moving through “the Tron and Ethereum networks,” then being converted into “TRX and ETH.”

Grinex’s public explanation for the attack centered on alleged involvement by Western intelligence and a goal of harming Russia’s financial sovereignty.

“PortalCripto / Latest Crypto News: The Grinex cryptocurrency exchange platform, registered in Kyrgyzstan and linked to the Russian market, suspended withdrawals and trades after a large-scale cyberattack that compromised its infrastructure”

PortalCripto

Ars Technica reported that Grinex said it experienced a “$13 million heist carried out by “western special services” hackers,” and it quoted the exchange’s claim that “The digital footprints and nature of the attack indicate an unprecedented level of resources and technology available exclusively to the structures of unfriendly states.”

In the same account, Grinex said the attack was coordinated “with the aim of causing direct damage to Russia’s financial sovereignty,” and it added that it was “forced to suspend operations.”

Security Affairs likewise quoted Grinex’s press release, describing the attack as “a large-scale cyberattack with indications of involvement by foreign intelligence agencies,” and it repeated the exchange’s line that “The digital footprint and nature of the attack indicate an unprecedented level of resources and technology, accessible only to entities of hostile states.”

The Crypto Times also framed the exchange’s accusation in similar terms, saying Grinex accused “foreign special services” of orchestrating the breach and quoting that “The nature of the attack indicates an unprecedented level of resources… aimed at directly harming Russia’s financial sovereignty.”

Silicon UK reported that Grinex attributed the theft to “the intelligence services of “unfriendly states”,” and it described the exchange as saying the attack was designed to “cause direct damage to Russia’s domestic financial sovereignty.”

PortalCripto echoed the same theme, saying users could view a statement describing the incident as “a coordinated attack aimed at directly undermining Russia's financial sovereignty.”

The Grinex hack is also being reported through the lens of US sanctions and the exchange’s alleged lineage to Garantex.

Ars Technica said the US Treasury Department sanctioned Grinex last year, and it quoted the Office of Foreign Assets Control saying Grinex was “a rebrand of Garantex, an exchange it had sanctioned in 2022.”

Security Affairs

Ars Technica further quoted OFAC’s description of Garantex, saying it had “directly facilitated notorious ransomware actors and other cybercriminals by processing over $100 million in transactions linked to illicit activities since 2019.”

Security Affairs added that in 2025 Grinex acquired clients and infrastructure from Garantex after an international law enforcement operation led by the US Secret Service seized the website (“garantex[.]org”) of the sanctioned exchange Garantex.

Silicon UK described Grinex as “the direct successor to Garantex,” saying Garantex was sanctioned by the US Treasury Office of Foreign Assets Control (OFAC) and targeted by international law enforcement for laundering “hundreds of millions of dollars of revenues from ransomware, darknet markets and state-sponsored hacking groups.”

Ars Technica also reported that TRM said last year that Grinex was likely a front for Garantex, and it noted that the latest attacks targeted “Russian users of the exchange.”

In addition, Ars Technica said the US Treasury Department’s OFAC described Garantex’s role in processing illicit transactions, while Security Affairs said the press release included “the list of wallets from which funds were stolen.”

The sanctions context also appears in Silicon UK’s description of how, after Garantex’s shutdown, “the company’s remaining liquidity, customers and staff migrated to Grinex,” linking the platform’s rise to the prior sanctioned exchange’s closure.

Reporting also points to possible spillover effects beyond Grinex, with TRM saying a second Kyrgyzstan-based exchange, TokenSpot, was breached and that both exchanges became inoperable on Wednesday.

“Grinex, a Russia-linked cryptocurrency exchange that has been linked to the laundering of hundreds of millions of dollars in criminal proceeds, suspended its operations on Thursday after saying it had been struck by a large-scale cyber-attack”

Silicon UK

Ars Technica said TRM reported that “TokenSpot, a second Kyrgyzstan-based exchange, was also breached,” and it added that “Two of the exchange’s addresses sent funds to the same consolidation address used by the affected Grinex-linked wallets.”

Silicon UK

Ars Technica also said “both exchanges became inoperable on Wednesday, suggesting they were hit by the same attacker,” and FXLeaders similarly described “TokenSpot – another Kyrgyzstan-based exchange” as having “indirect exposure thanks to wallets that were interacting with the same address that the hackers were using to control the Grinex heist.”

The Crypto Times said TRM Labs noted that TokenSpot “also appears to have been hit in the same operation,” and it described users with balances on the platform facing “an uncertain wait.”

Security Affairs said Grinex reported the incident to law enforcement and filed a criminal complaint “where its infrastructure is located,” and it said the press release included the list of wallets from which funds were stolen.

Ars Technica said Grinex submitted “An application … to the location of the infrastructure to initiate a criminal case,” and it described the exchange as transferring “All available information” to law enforcement agencies.

Meanwhile, Silicon UK reported that Grinex disclosed “a list of accounts it claimed were accessed by attackers,” and it said the platform is “one of the largest exchanges for converting rubles to crypto-assets,” raising the stakes for users who rely on it for ruble-to-crypto conversions.

PortalCripto added that the platform suspended “withdrawals and trades” after the cyberattack, and it said independent analyses indicate losses could be greater, citing Elliptic’s estimate of “about $15 million in USDT.”