Grinex, a sanctioned crypto exchange serving Russian businesses and individual users, said it was hit by a large-scale cyberattack that resulted in the theft of funds worth more than 1 billion rubles from its users’ wallets.

The exchange described the incident as a targeted operation and claimed there were indications of involvement by foreign intelligence agencies. It said the technical footprint and scale of the attack suggested the use of advanced resources typically available to state-backed actors.

Following the breach, Grinex suspended its operations.

Laundering Route Exposed

In its official update, the exchange revealed that all relevant information has been handed over to law enforcement authorities. A criminal complaint has also been filed at the location of its infrastructure. Grinex stated the attack led to total damages estimated at around 13.74 million USDT.

Blockchain analytics firm TRM Labs reported around 70 addresses connected to the hack, which is about 16 more than what Grinex publicly disclosed. According to the findings, all stolen assets were swapped into TRX through SunSwap and later pooled into a single TRON address.

The report also says TokenSpot, which TRM found to be a potential front linked to Garantex, was affected around the same time. Two of its wallets sent funds to the same consolidation address used by Grinex-linked wallets. Both platforms reportedly went offline on 15 April, which indicates that they may have been targeted by the same attacker.

Grinex was set up in Kyrgyzstan in December 2024, just weeks before a coordinated law enforcement operation in March 2025 that took down Garantex, a crypto exchange previously flagged for high-risk activity. Soon after Garantex was shut down, Telegram channels connected to it began directing users toward Grinex and presented it as a replacement platform with similar features. These channels also encouraged former customers to migrate in order to regain access to frozen funds.

This led the US Treasury’s OFAC to impose sanctions on Grinex, along with individuals linked to Garantex and the issuer of the A7A5 token, Old Vector, that same year. Before its closure, Garantex had processed over $100 billion in transactions while under sanctions since 2022.

The report also shed light on the use of A7A5, a ruble-pegged stablecoin issued by Old Vector. According to the findings, Garantex wallets began moving funds into A7A5 in early 2025, before enforcement action began. After the shutdown, former users were issued A7A5 credits on Grinex equal to their frozen balances, allowing them to continue transactions through the new system.

Russia-Linked Illicit Activity

An earlier report by the platform found that illicit crypto inflows jumped in 2025, with about $158 billion flowing into suspicious wallets. The rise was mainly linked to Russia-related activity and improved tracking methods. Despite the increase, illicit transactions still made up only around 1.2% of total on-chain volume.

A7A5 was the largest contributor, which brought in about $72 billion in incoming value. Another $39 billion was linked to the A7 wallet cluster. Most of this activity was tied to Garantex, Grinex, and A7.

The post Garantex Successor Grinex Collapses Days After Coordinated Wallet Exploit appeared first on CryptoPotato.