On April 16, 2026, Grinex—a cryptocurrency exchange registered in Kyrgyzstan but deeply connected to Russian financial networks—suspended all operations after suffering a large-scale cyber intrusion. The platform stated that hackers had drained user assets worth approximately $15 million, equivalent to more than one billion Russian rubles.
Grinex promptly notified law enforcement and publicly shared details of the compromised wallets, framing the incident as an act of economic sabotage by foreign adversaries equipped with advanced capabilities typically available only to state-level actors.
Blockchain intelligence specialists at TRM Labs conducted a thorough on-chain review and identified roughly 70 addresses linked to the theft—about 16 more than those listed by Grinex itself.
The stolen funds, primarily USDT tokens on the TRON blockchain, were rapidly exchanged for TRX through the decentralized platform SunSwap.
All proceeds were then funneled into a single consolidation wallet, which held around 45.9 million TRX (valued at nearly $15 million) shortly after the incident.
TRM analysts also uncovered evidence that the same attacker struck a related Kyrgyzstani exchange called Tokenspot on or around April 15.
Two Tokenspot addresses routed small amounts—less than $5,000 total—to the identical TRON consolidation address used by the Grinex wallets.
Both platforms experienced brief outages at the same time, strongly suggesting a coordinated operation targeting interconnected infrastructure.
Elliptic’s independent analysis aligned closely with these findings, confirming outflows of about $15 million in USDT from Grinex-controlled accounts around midday UTC on April 16.
The pilfered stablecoins were subsequently converted into TRX or ETH on the TRON and Ethereum networks, a common tactic to reduce the risk of immediate asset freezes by issuers such as Tether.
Grinex operates as the de facto successor to Garantex, a notorious Russian exchange that was dismantled by international law enforcement in March 2025 following years of facilitating illicit flows exceeding $100 billion, much of it tied to sanctioned entities.
Grinex was incorporated in late 2024 and quickly absorbed migrating users and liquidity from Garantex.
US authorities sanctioned the platform in August 2025, along with key individuals and the issuer of A7A5, a ruble-pegged stablecoin that has served as a cornerstone of Russia’s parallel payment systems.
Tokenspot, which has processed more than $4 billion in volume since late 2023, shows extensive on-chain overlaps with both Garantex and Grinex, including substantial transfers linked to broader sanctions-evasion networks and even illicit activities involving sanctioned groups.
TRM Labs assessed the breach as most likely an external cyber operation rather than an internal exit scam, citing the relatively modest sums taken from Tokenspot and the indiscriminate nature of the wallet targeting.
While Grinex has resumed limited communications, Tokenspot briefly announced technical maintenance before returning to service.
The concerning incident highlights the ongoing risks facing platforms embedded in high-risk sanctions circumvention ecosystems, where sophisticated attackers continue to exploit shared infrastructure despite heightened regulatory pressure. As investigations proceed, the full scope of the theft and any potential recovery efforts remain under scrutiny for now by global authorities and blockchain forensics teams.