A sanctioned, Russia-linked crypto exchange based in Kyrgyzstan, has abruptly halted operations after reporting a large-scale cyberattack. Another Hacked Crypto Exchange…Or Is It? The crypto exchange Grinex suspended activity after hackers siphoned off roughly 1 billion rubles (around $13 million in crypto) from its infrastructure, forcing it to suspend trading and withdrawals. In its official public statement , Grinex claims the hack bore the hallmarks of “special services” from “unfriendly states,” framing the incident as economic warfare rather than a straightforward security failure. The crypto exchange also stated that it has filed a formal police report. Blockchain analytics firms and prior investigations have described Grinex, launched in 2025, as the full-fledged successor to Garantex, a Moscow-based centralized exchange (CEX) sanctioned by the United States and European partners for handling illicit transactions and sanctions evasion. Alongside rubles and USDT, Grinex also acts as the main venue for trading A7A5, which many view as the first stablecoin directly tied to the Russian ruble. In the past, this helped Russian actors recover frozen balances and move money around sanctions chokepoints. Grinex and related entities have been cited as critical nodes in a broader Russian sanctions-evasion ecosystem that has processed hundreds of billions of dollars’ worth of activity tied to state-adjacent finance. Economic Warfare Or Convenient Cover? According to the crypto CEX, its infrastructure was compromised in a “large-scale” operation, publishing a list of hacked accounts with outgoing transfers that blockchain investigators have traced across TRON and Ethereum. The attacker rapidly swapped the proceeds into TRX and other assets Instead of leaving the funds in USDT, thus minimizing the risk of a stablecoin freeze and consolidating them into a handful of wallets that currently hold tens of millions of TRX. TRM Labs and other forensic teams report that TokenSpot , a Kyrgyzstan-based platform assessed as a likely front for Garantex, showed overlapping wallets, shared consolidation addresses and simultaneous downtime. This suggests a coordinated hit on a linked sanctions-evasion network instead of just a one-off exploit. Grinex’s public statement argues the attack used “unprecedented” resources available only to foreign intelligence from unfriendly states, and that it was part of a systematic campaign to cut Russian access to offshore withdrawals. That claim lands in a context where U.S., UK and EU authorities have already sanctioned the CEX, seized infrastructure, and targeted wallets linked to Russian illicit finance and even conflict actors like the Houthis. What This Means For Crypto Risk Whether or not state actors were actually involved in this hack, the incident highlights how politically exposed crypto exchanges are turning every major security event into a narrative battle over “financial sovereignty” versus “illicit finance”. For traders and market participants, the Grinex episode reminds us of the structural risk of routing volume through sanctioned or opaque offshore venues that double as sanctions-evasion rails, even when headline yields or liquidity look attractive. On-chain investigators have now publicly mapped critical parts of this network, making it more likely that enforcement, secondary sanctions and deplatforming will keep ratcheting up. Such a trend that can suddenly strand funds or counterparties if you are on the wrong side of those flows. In practical terms, this kind of hack pushes risk premia higher around Russia-linked liquidity, increases the odds of further wallet blacklisting and stablecoin freezes, and reinforces the case for traders to price in jurisdiction, sanctions exposure and forensics footprint when they choose where to trade. Cover image from Perplexity. BTCUSD chart from Tradingview.
