Grinex Cyber Attack: The Kyrgyzstan-based crypto exchange, which has been placed under sanctions by the USA, EU, and UK for aiding Russia in avoiding financial restrictions, recently, it announced that it had suspended all its operations, following a “massive cyber attack.” The exchange claimed to have lost over 1 billion Russian rubles (which is equivalent to about USD 13-15 million) as a result of the attack. They also stated that the hack had the “digital footprints of unprecedented amounts of resources and technology reserved only for the use of entities from unfriendly countries,” thus Western Intelligence.
What the Evidence Shows
Elliptic and TRM Labs, analysts of blockchain data, confirmed the hack and have already determined that the stolen USDT were sent through the Tron and Ethereum blockchain after the attacker converted the stolen USDT into TRX and ETH respectively, quickly, avoiding Tether’s freezing of funds by moving assets into a single address currently holding approximately 45.9 million TRX (around USD 15 million). In addition to the large amount of TRX, the unified address has received a transaction of around USD 5,000 from TokenSpot (also an exchange in Kyrgyzstan that had gone offline briefly), suggesting a single attacker may have targeted a connected network.
Grinex was significantly impeded by the attack and had previously been a key player in the sanctions evasion scheme used by Russian entities. U.S. federal authorities have accused Grinex of working with entities using the ruble-pegged stablecoin (A7A5) to circumvent Society for Worldwide Interbank Financial Telecommunication (SWIFT)’s sanctions, and it is believed that Grinex was a successor to Garantex, which shut down in March 2025 after Tether froze approximately USD 2.5 billion of assets.
Grinex Cyber Attack: Broader Implications
- Geopolitical Risk: This incident highlights how easy it is for exchanges that operate in sanctioned areas to be vulnerable to hackers. The crypto infrastructure to avoid sanctions will be a target for both criminals and state-sponsored cybercriminals.
- Tether’s Role: The immediate conversion of USDT into non-freezable assets (TRX / ETH) shows the limitations of stablecoin issuer controls once funds move off primary networks.
- DeFi Security Context: The Grinex hack was part of a two-week-long attack that compromised over 12 protocols and exchanges, following Drift’s exploit for USD 285 million on April 1.
Now What?
After the Grinex cyber attack, the firm has turned over all records to law enforcement and filed a criminal report. It will likely be impossible to recover any funds due to the fact that Grinex is a sanctioned entity, and the attackers were likely state-sponsored. Users of Grinex and TokenSpot are still unsure about the status of their funds, as all withdrawals from the exchange have been frozen indefinitely.
