Grinex, a cryptocurrency exchange incorporated in Kyrgyzstan and recently sanctioned by both the U.K. and U.S., has announced a suspension of its operations following a significant breach estimated at $13.74 million. The exchange claims that Western intelligence agencies are behind this cyberattack, which it characterized as extensive and sophisticated.
The company reported that the attack resulted in the theft of over 1 billion rubles (approximately $13.74 million) from user accounts. Grinex asserted that the nature and execution of the attack exhibited signs of involvement from foreign intelligence organizations. The statement from the exchange emphasized that “digital forensic evidence and the complexity of the attack suggest an unprecedented level of resources, typically associated with hostile state actors.” Preliminary assessments have indicated a deliberate attempt to undermine Russia’s financial sovereignty.
A spokesperson for Grinex noted that its infrastructure had been under continual assault since the exchange’s inception, highlighting that this incident marks an escalation aimed at destabilizing the financial landscape in the region.
Grinex appears to be a rebranding of Garantex, another cryptocurrency exchange sanctioned by the U.S. Treasury in April 2022 for laundering funds related to ransomware and dark web markets, including Conti and Hydra. Sanctions against Garantex were reaffirmed in August 2025 due to its facilitation of over $100 million in illicit transactions. Reports indicate that, in response to these sanctions, Garantex moved its clientele to Grinex, continuing operations using a ruble-pegged stablecoin known as A7A5.
According to the U.S. Treasury and blockchain intelligence firms such as Elliptic and TRM Labs, the operational continuity of Grinex reflects a pattern of evasion tactics associated with its predecessor. A report from Elliptic revealed that Rapira, a cryptocurrency exchange based in Georgia with ties to Moscow, conducted over $72 million in direct transactions with Grinex, underscoring the ongoing challenges in sanction enforcement against Russian financial operations.
Further details emerge regarding the breach itself. On April 15, 2026, at approximately 12:00 UTC, funds were reportedly siphoned from Grinex and subsequently transmitted through accounts on the TRON or Ethereum blockchains. This was done intentionally to minimize the risk of the stolen Tether (USDT) assets being frozen. The cybercriminals quickly converted the stolen stablecoins into other tokens such as TRX or ETH, a common technique in laundering operations to prevent asset immobilization.
TRM Labs has traced approximately 70 addresses linked to the breach, noting that TokenSpot, a likely front for Grinex, was also impacted, albeit on a smaller scale with less than $5,000 stolen. On the day of the breach, TokenSpot had posted on its Telegram channel about technical difficulties but resumed operations shortly after.
In analyzing this incident, Chainalysis observed that the funds underwent rapid conversion to non-freezable tokens, a maneuver typically employed by malicious actors aiming to launder illicit gains before they can be seized. Given Grinex’s heavily sanctioned status and its connections to Garantex, there are suggestions that this incident could also be an orchestrated disruption rather than a traditional cybercriminal exploit. However, the ramifications of this breach represent a significant challenge to the established frameworks of sanctions against Russian entities.