Quick Insights

  • Grinex suspended trading after reporting a cyberattack that drained more than 1 billion rubles, or roughly $14 million.
  • TRM Labs said the stolen funds were consolidated at a single Tron address holding around 45.9 million TRX.
  • The exchange has previously been linked to Russia’s sanctions evasion infrastructure and described as a successor to Garantex.

Russia-linked crypto exchange Grinex has suspended trading after a hack drained more than 1 billion Russian rubles from the platform, a loss estimated at about $14 million. Grinex, which is registered in Kyrgyzstan, said the attack affected 54 addresses and claimed the breach showed a level of sophistication associated with hostile states, though that part has not been independently verified, according to Reuters.

The breach has drawn attention not just because of the money involved, but because Grinex was already under pressure. The exchange has been tied by Western authorities and blockchain investigators to Russia’s crypto infrastructure, and has also been described as a likely successor to Garantex. That makes this more than another exchange hack. It lands on a platform that was already operating under a cloud.

TRM Says the Stolen Funds Ended Up at One Tron Address

Investigators say the stolen assets were moved quickly. TRM Labs said it identified around 70 attacker-linked addresses, including roughly 16 more than Grinex publicly disclosed, and traced the known funds to a single Tron address holding around 45.9 million TRX. Elliptic separately said about $15 million in USDT left Grinex-linked accounts before being converted into TRX or ETH, a move that would reduce the risk of those funds being frozen by Tether.

That on-chain trail is one reason the story has spread so fast. Exchange hacks are common enough, but cases involving sanctioned platforms, stablecoin conversions and cross-chain fund movements draw a different kind of attention. They tend to interest investigators as much as traders. For broader context on how on-chain flows shape market narratives, see our guide to crypto market structure and institutional flows.

Grinex Was Already Facing Sanctions Evasion Scrutiny

Grinex’s wider significance comes from the allegations already surrounding it. The exchange has been accused by Western authorities of helping Russia build crypto-based payment rails after being cut off from parts of the traditional financial system. Elliptic founder Tom Robinson has also described Grinex as a key venue for trading A7A5, a ruble-backed stablecoin linked to sanctions evasion concerns. Grinex has previously denied involvement in illegal activity.

Why This Matters

When a breach hits an exchange that is already under sanctions scrutiny, the fallout goes beyond the immediate losses. It can also expose the wallets, counterparties and payment routes connected to that platform.

TRM Labs said Grinex may not have been the only exchange touched by the same attacker. According to its analysis, two wallets from Kyrgyzstan-based TokenSpot, a platform with on-chain links to Grinex, sent about $5,000 to the same consolidation address used in the Grinex incident. TokenSpot later said it had resumed full operations after a brief outage and a period of technical work earlier in the week.

What remains unclear is who carried out the attack, whether more exchanges were affected and how much of the stolen value can still be tracked. What is already clear is that Grinex has halted trading and been pushed back into the spotlight for all the wrong reasons. For readers following the wider digital asset market beyond live Bitcoin markets, it is another reminder that exchange risk and geopolitical risk can collide very quickly in crypto.

Disclaimer: Nakamoto Daily provides information for educational and entertainment purposes only. Nothing published here constitutes financial, investment, or trading advice. Readers should conduct their own research and consult a qualified financial adviser before making any investment decisions.