M ore than $13 million has been wiped from user accounts at Grinex, a sanctioned crypto exchange linked to Russia, forcing an immediate shutdown of all operations. The platform said hackers stole over 1 billion rubles and attributed the breach to "foreign intelligence services," citing digital traces of state-level tools—though it provided no public proof.
Related Brief 10h ago
cybersecurity Grinex Hack Erases $13.7 Million in Ruble-Backed Assets
Users of the Grinex cryptocurrency exchange are locked out of their accounts and funds. All trading, deposits, and withdrawals have been suspended indefinitely. The suspension follows a cyberattack that drained more than 1 billion Russian rubles, approximately $13.7 million, from 54 wallet addresses. Blockchain analytics firms Elliptic and TRM Labs tracked approximately $15 million in USDT leaving Grinex-linked accounts. To prevent Tether from freezing the stolen stablecoins, the attackers routed funds through the Tron and Ethereum networks and converted the USDT into TRX and ETH. The stolen assets were consolidated into a single wallet holding 45.9 million TRX, valued at approximately $15 million. Grinex, a Kyrgyzstan-registered exchange tied to Russia's domestic crypto-ruble ecosystem, attributed the breach to "foreign special services" and "foreign intelligence agencies." The platform is the successor to Garantex, a Moscow-based exchange sanctioned by the U.S. Treasury in 2022 for processing over $150 million in ransomware payments. After Garantex ceased operations in March 2025, liquidity and users migrated to Grinex, which other sources describe as a primary hub for the ruble-backed stablecoin A7A5, which Elliptic estimates has processed more than $100 billion in transactions. Two wallets linked to TokenSpot, another Kyrgyzstan-based exchange, transferred roughly $5,000 to the same consolidation address used in the Grinex heist.
Grinex announced the attack on its Telegram channel, stating it had suspended services and forwarded breach data to law enforcement. It claimed the assault targeted Russia’s financial sovereignty and represented a new phase in cyber aggression against Russian users. A criminal investigation is now underway.
Related Brief 6h ago
cryptocurrency security Grinex outage blocks withdrawals for Russian stablecoin traders
Users of the Grinex cryptocurrency exchange cannot access deposits or withdrawals. The platform has blocked all withdrawals and halted trading while it investigates a cyberattack that resulted in losses of more than 1 billion rubles, or approximately $13 million. Grinex suspended all operations and placed its website under a maintenance notice following the breach. The exchange stated the attack was coordinated to cause direct damage to the financial sovereignty of Russia and may have been carried out by foreign intelligence groups.
The exchange, based in Kyrgyzstan, has long operated under Western sanctions. The U.S., U.K., and European Union designated it last year for helping users circumvent financial restrictions, particularly through A7A5, a ruble-backed stablecoin used in cross-border transfers outside traditional banking rails. U.S. officials have said such mechanisms enable evasion of capital controls and international sanctions.
Related Brief 3h ago
cybersecurity A billion-ruble hack of Grinex reveals the fragility of Russian sanctions evasion conduits
User accounts at Grinex, a sanctioned Russia-linked crypto exchange, lost more than one billion rubles ($13.7 million) in a large-scale cyberattack. The exchange has suspended its services. Grinex claims the attack was organized to inflict direct damage on Russia's financial system and was linked to foreign intelligence agencies with capabilities limited to state-backed entities. The exchange continues to face sanctions, targeted wallet monitoring, and blocked transactions limiting crypto transfers beyond the CIS. TRM Labs identified Grinex as a likely successor to Garantex, an exchange that processed $96 billion in transactions from 2019 through March 2025. To preserve liquidity and bypass enforcement actions, Garantex transferred assets into A7A5, a ruble-linked stablecoin. International law enforcement shut down Garantex in March 2025.
Grinex had already faced operational constraints: wallet monitoring, blocked transactions, and limits on transfers beyond the Commonwealth of Independent States. It framed the hack as an escalation of sustained pressure.
Related Brief 8h ago
stablecoins Tether uses $127.5 million recovery fund to displace USDC as Drift Protocol settlement asset
Impacted Drift Protocol users will receive transferable recovery tokens representing claims on a recovery pool to recoup losses over time. The pool is funded by a $127.5 million commitment from Tether and $20 million from partner ecosystem funds. This recovery follows an April 1 exploit in which North Korean-linked hackers compromised a multisignature wallet and stole $295.7 million in user funds, including $159 million in JLP, USDC, cbBTC, and SOL. The shift in asset preference is accelerated by Circle's failure to freeze the stolen funds. Circle now faces a class action suit accusing the firm of knowingly permitting attackers to offload $230 million in USDC via its blockchain bridge CCTP over several hours. As part of the relaunch, Drift Protocol is shifting its settlement asset from USDC to USDT. The move displaces USDC, which holds a market cap of $8.1 billion on Solana, 2.65 times larger than USDT's $3.05 billion. Tether claims the transition will bring 128,000 users and 35 ecosystem teams onto USDT-based trading.
The exchange emerged after the March 2025 takedown of Garantex, another Russia-linked platform accused of handling ransomware proceeds and sanctions-evasion flows. TRM Labs identified Grinex as Garantex’s likely successor, noting similarities in design, user migration, and A7A5 activity.
Related Brief 1d ago
cybersecurity Kraken Refuses Ransom After Insider Breach Exposes 2,000 Accounts
Two thousand Kraken clients face the risk of their private data being leaked on social media. The exposure occurred after two support employees were recruited by a cybercrime group to gain improper access to internal systems. These employees recorded videos of internal systems containing client support data for 2,000 accounts, or 0.02% of the user base. Kraken revoked employee access and strengthened controls following a tip in February 2025. A criminal group subsequently threatened to release the videos to media outlets and social media unless payment was made. Kraken refused to pay or negotiate with the ransom demands. A criminal investigation is underway to identify and arrest the responsible individuals. 2,000 clients face the risk of their private data being leaked on social media.
After Russia’s exclusion from SWIFT, alternative crypto channels became critical for maintaining international trade under sanctions. The collapse of Grinex now severs one of those conduits.
Related Brief 5h ago
cryptocurrency exchange Russian Ruble Crypto Gateway Grinex Halts Trading After $13 Million Theft
Users cannot trade or access assets on Grinex after the exchange suspended its services. The suspension follows a cyber attack that resulted in the theft of 1 billion roubles, or $13 million. Grinex attributed the attack to foreign intelligence services from unfriendly states, claiming the operation was coordinated to harm Russia's financial sovereignty. The exchange is registered in Kyrgyzstan but serves as one of the largest venues for exchanging Russian rubles into crypto assets. Blockchain intelligence firm Elliptic identifies Grinex as having common ownership and management with Garantex, a Russian exchange sanctioned by the US Treasury's Office of Foreign Assets Control for laundering hundreds of millions of dollars. Grinex was created as a response to those sanctions, absorbing much of the liquidity and customers from Garantex. The platform also serves as a primary trading venue for A7A5, a ruble-backed stablecoin used to move more than $100 billion in sanctions-evasion efforts.
The Ledger Morning The essential intelligence to start your trading day. Delivered 6:00 AM EST.
Join 50,000+ professionals who start their day with The Digital Ledger.
