Grinex, the sanctioned successor to Garantex, has suspended operations after attackers drained approximately $15 million from its systems. The exchange blamed 'foreign intelligence agencies' — a claim blockchain forensics firms have not corroborated.
Grinex, the sanctioned crypto exchange that emerged from the ashes of Garantex, has suspended all operations after attackers drained approximately $15 million from its systems and a linked Kyrgyzstani exchange called TokenSpot.
The exchange announced the shutdown on 16 April, claiming the attack bore "signs of involvement by foreign intelligence services" and was designed to damage Russia's financial system. It published a list of 54 wallet addresses attributed to the attacker, most holding USDT on the TRON blockchain. Blockchain forensics firm TRM Labs, which independently analysed the incident, identified roughly 70 affected addresses — 16 more than Grinex disclosed publicly — and put the total losses at approximately $15 million across both platforms.
TRM's analysis found that the stolen assets were predominantly USDT on TRON. The attacker converted the stablecoins to TRX via SunSwap, a decentralised exchange, then consolidated the proceeds into a single TRON address. Four Ethereum addresses were also connected to the incident, though the destination of those funds remained under investigation at the time of TRM's report. The firm assessed the incident as "more likely an external cyber operation rather than an exit scam," based on the indiscriminate targeting and the relatively trivial amount taken from TokenSpot — less than $5,000.
Grinex's claim of state-backed attribution is convenient but unverified. TRM Labs stated plainly that it "has not independently verified that attribution." The exchange said the digital traces pointed to "a highly sophisticated operation backed by significant resources and advanced technology," capabilities it associated with state-level actors. No government has claimed responsibility, and no independent cybersecurity firm has corroborated the claim.
The background here matters more than the hack itself. Garantex, Grinex's predecessor, operated from 2019 until its dismantling in March 2025 and processed over $96 billion in transactions despite being sanctioned by the US Office of Foreign Assets Control in April 2022. It functioned as one of the most active conduits for Russian sanctions evasion and ransomware laundering — 82 per cent of its total volume was linked to sanctioned entities globally, according to TRM Labs.
When Garantex was finally shut down, its operators had already prepared the succession. Grinex was incorporated in Kyrgyzstan in December 2024, weeks before the enforcement action. TRM Labs identified it as a likely Garantex successor based on similar interface design and user migration patterns promoted through Garantex-linked Telegram communities. The new exchange inherited not just the user base but also the regulatory baggage — OFAC sanctioned Grinex in August 2025, and the EU and UK followed.
Before its closure, Garantex had shifted assets into A7A5, a ruble-backed stablecoin operating on Ethereum and TRON that was designed to preserve liquidity and bypass enforcement. The token allowed cross-border payments when Russia's access to the SWIFT inter-bank messaging system was cut off over the country's invasion of Ukraine — a digital workaround for a geopolitical sanction.
TokenSpot, the Kyrgyzstani exchange caught in the same attack, appears to have been more deeply enmeshed in the network than its modest branding suggested. TRM Labs assessed it as a likely front company for Garantex, noting that it had processed $4 billion in transaction volume between December 2023 and March 2026, transferred $88 million to Garantex and Grinex combined, and sent $257.5 million to the A7A5 sanctions evasion network. Nearly $1 million in its holdings was traced to a wallet sanctioned for Houthi money laundering.
The Bybit hack earlier this year demonstrated that even well-resourced, legitimate exchanges remain vulnerable to sophisticated state-linked attackers. That a sanctioned exchange running sanctions evasion infrastructure got hit by what may — or may not — be a state-sponsored operation adds a layer of irony. Whether the attacker was a Western intelligence agency, a rival criminal network, or an insider with access, the practical outcome is the same: another node in Russia's sanctions evasion apparatus has gone dark, and roughly $15 million in illicit funds has changed hands once again.
