Grinex Exchange Halts Operations Following $13M Attack Tied to State Actors - Crypto Economy

TL;DR

• Grinex suspended operations after a cyberattack stole more than 1 billion rubles, or about $13.1 million, and the exchange alleged hostile foreign intelligence involvement.
• The stolen funds moved as USDT and were converted into TRX and Ether across linked addresses.
• The breach carries wider implications because Grinex has been tied to Russia-linked crypto infrastructure and the ruble-backed stablecoin A7A5, adding regulatory weight.

Grinex has suspended operations after a large cyberattack drained more than 1 billion rubles, or about $13.1 million, from user funds, forcing the Russia-linked exchange into crisis. The striking part is not only the size of the theft, but the accusation that it may have involved resources associated with hostile states. In a public statement, the platform said the breach bore signs of an operation by “foreign intelligence services” from unfriendly countries, though that claim has not been independently verified. Reuters reported the exchange halted activity after disclosing the incident.

The exchange’s own account and outside blockchain analysis suggest the theft was coordinated rather than chaotic. What initially looked like a platform hack now appears to have involved a structured effort to move stolen funds quickly across networks. Elliptic said Grinex reported the loss of more than 1 billion rubles and then suspended operations, while blockchain investigators found the stolen assets were moved largely as USDT before being converted into TRX and Ether. Analysts identified around 70 addresses tied to the incident, more than the exchange itself publicly disclosed.


A Breach With Broader Geopolitical Shadows

The incident is attracting outsized attention because Grinex is not being treated as an ordinary exchange in an ordinary market. Its role inside Russia-linked crypto infrastructure means the attack is being read through both a financial and geopolitical lens. U.S. authorities have accused Grinex of helping users move funds through the ruble-backed stablecoin A7A5, part of a wider system that has drawn scrutiny since Russia’s exclusion from SWIFT. TRM Labs has also identified Grinex as a likely successor to Garantex, the sanctioned exchange whose closure reshaped parts of the Russian-speaking crypto ecosystem.

For now, the exchange has gone dark while investigators try to determine what can be recovered and whether operations can safely restart. The deeper uncertainty is whether this remains a severe criminal breach or becomes something larger in the eyes of regulators and governments. Grinex said all available information had been handed to law enforcement and that a criminal complaint was filed where the infrastructure was located. No verified recovery timeline has been provided, leaving users facing a freeze on trading and transfers as the platform tries to contain damage and defend its narrative.