On April 16, 2026, grinexA cryptocurrency exchange registered in Kyrgyzstan but deeply connected to Russian financial networks has suspended all operations after a large-scale cyber attack. The platform stated: hackers had consumed approximately $15 million worth of user assets; This was equivalent to more than a billion Russian rubles.
Grinex immediately notified law enforcement and shared details of the seized information with the public. walletsframes the incident as an act of economic sabotage by foreign adversaries equipped with advanced capabilities typically only accessible to state-level actors.
blockchain intelligence Experts at TRM Labs conducted a comprehensive on-chain investigation and identified approximately 70 addresses linked to the theft; that number is about 16 more than those listed by Grinex itself.
Stolen funds are primarily USDT Tokens on the TRON blockchain were quickly exchanged for TRX through the decentralized platform SunSwap.
All proceeds were transferred to a single consolidation wallet where approximately 45.9 million TRX (worth approximately $15 million) was held shortly after the event.
TRM analysts also uncovered evidence that the same attacker attacked a related exchange in Kyrgyzstan called Tokenspot on or around April 15.
Two Tokenspot addresses directed small amounts (less than $5,000 total) to the same address TRON Consolidation address used by Grinex wallets.
Both platforms experienced brief outages simultaneously, indicating a coordinated operation targeting the interconnected infrastructure.
Elliptical‘s independent analysis closely aligned with these findings, confirming an outflow of approximately $15 million of USDT from Grinex-controlled accounts around midday UTC on April 16.
The stolen stablecoins were then converted into TRX or ETH A common tactic on the TRON and Ethereum networks to reduce the risk of instant asset freezing by issuers like Tether.
Grinex operates as the de facto successor of the infamous Garantex Russian The exchange was dismantled by international law enforcement in March 2025 after years of facilitating illicit flows exceeding $100 billion, many of which were linked to sanctioned entities.
Grinex was founded in late 2024 and quickly absorbed users and liquidity from Garantex.
US authorities sanctioned the platform in August 2025, along with VIPs and the issuer of the ruble-pegged A7A5. stablecoin This served as the cornerstone of Russia’s parallel payment systems.
Owned by Tokenspot finished Volume in excess of $4 billion since late 2023 shows on-chain overlap with both Garantex and Grinex; this includes significant transfers linked to broader sanctions evasion networks and even illicit activities involving sanctioned groups.
TRM Laboratories Citing the relatively modest sums received from Tokenspot and the indiscriminate nature of wallet targeting, he likely cast the breach as an external cyber operation rather than an internal exit scam.
While Grinex continued limited communication, Tokenspot announced that it would briefly conduct technical maintenance before returning to service.
Related event highlights ongoing risks faced by platforms embedded in high-risk sanctions evading ecosystems; attackers Continue to benefit from shared infrastructure despite increasing regulatory pressure. The full scope of the theft and possible recovery efforts remain under review by global authorities as investigations progress. block chain forensic teams.
