Grinex Halts Trading After $13.7M Cyberattack Claims

Exchange Claims Foreign Intelligence Behind $13.7M Breach

Grinex announced the suspension via its official website and Telegram channel, stating that attackers stole approximately 1 billion rubles. In an unusual move, the exchange published the specific cryptocurrency addresses involved in the alleged theft and publicly blamed foreign intelligence services of unfriendly states for coordinating the attack to harm Russia’s financial sovereignty.

The exchange provided on-chain evidence by disclosing the source and destination addresses of the exfiltrated funds. This transparency, while rare for hacked exchanges, allows independent verification of the claim through blockchain forensics.

On-Chain Evidence Contradicts the Official Narrative

Blockchain analysis reveals critical inconsistencies in Grinex’s account. The stolen funds, held primarily in fiat-backed stablecoins, were rapidly swapped for Tron (TRX) tokens using a Tron-based decentralized exchange that Garantex had previously relied upon for liquidity operations.

This behavior pattern contradicts how Western law enforcement typically handles cryptocurrency seizures. According to Chainalysis analysis of the March 2025 Garantex takedown, U.S. authorities froze $26 million in stablecoin assets by requesting the issuer to globally freeze the funds. The frantic conversion from freezable stablecoins to non-freezable tokens is a hallmark tactic of cybercriminals attempting to launder funds before centralized freezes execute.

False Flag Operation or Criminal Exploit

The on-chain movements suggest three possible scenarios. First, if Western authorities conducted the attack, they would likely freeze stablecoins rather than swap them. Second, common cybercriminals would execute the observed token swap to avoid seizure. Third, Russia-linked insiders could stage a false flag operation to quietly exit with liquidity while deflecting blame.

Russia maintains a well-documented history of employing false flag tactics across military and cyber domains. Darknet markets previously linked to Russia have shuttered under alleged hacks, only for blockchain data to reveal administrators transferring user funds to personal wallets.

Grinex’s Role in Sanctions Evasion Infrastructure

Grinex operated as the primary trading hub for A7A5, a Russian ruble-backed token issued by sanctioned Kyrgyzstani firm Old Vector. According to Chainalysis reporting, A7A5 facilitated $93.3 billion in transactions last year, serving as a critical infrastructure for cross-border settlements and Western sanctions evasion.

The exchange itself faced OFAC sanctions from the U.S., UK, and EU in 2025 following its establishment as Garantex’s successor.

What Happens Next

At publication, the exfiltrated funds remain concentrated on a single address. As these assets move downstream through the blockchain, forensic evidence will reveal whether the attacker is law enforcement, cybercriminals, or insiders. Chainalysis has labeled relevant addresses in its monitoring systems to track downstream movements and identify potential successor entities to the disrupted exchange.