The Russian cryptocurrency exchange Grinex has suffered a major security breach, resulting in the theft of over 1 billion rubles (more than $13 million USD). In response, the exchange has suspended all user services, including deposits and withdrawals.
The exchange's official statement, posted on Telegram, attributed the sophisticated attack to "foreign special services," specifically alleging involvement by "Western special services." Grinex claimed the cyberattack was an attempt to "destabilize" Russia's financial sector and harm its financial sovereignty. This claim remains unverified by independent cybersecurity firms.
Blockchain analysis reveals the attackers drained various cryptocurrencies from Grinex's hot wallets and subsequently converted the stolen assets. Funds were consolidated into approximately 45.9 million TRX (Tron's token), worth around $15 million, and deposited into a single Tron wallet. Elliptic's on-chain analysis also noted that about $15 million worth of USDT left the exchange, with funds being converted to ETH or TRX on the Ethereum and Tron blockchains.
The incident is further complicated by Grinex's alleged links to the sanctioned exchange Garantex, which was seized and taken offline by the U.S. Secret Service in March 2025 for alleged ties to sanctioned Russian entities. Analysts from Elliptic state that Grinex uses the "same fingerprint" as Garantex and is the main trading venue for the ruble-backed stablecoin A7A5, which has facilitated over $100 billion in transfers as part of a suspected sanctions evasion enterprise. Grinex launched just two weeks after Garantex's closure, reportedly using the same team and infrastructure.
Grinex has passed information to law enforcement and is seeking to open a criminal case. The hack damages confidence in the regional crypto market and underscores persistent security challenges for centralized exchanges. It is also likely to accelerate regulatory discussions in Russia concerning mandatory security audits and proof-of-reserves.
