Grinex Hack Erases $13.7 Million in Ruble-Backed Assets

Users of the Grinex cryptocurrency exchange are locked out of their accounts and funds. All trading, deposits, and withdrawals have been suspended indefinitely. The suspension follows a cyberattack that drained more than 1 billion Russian rubles, approximately $13.7 million, from 54 wallet addresses. Blockchain analytics firms Elliptic and TRM Labs tracked approximately $15 million in USDT leaving Grinex-linked accounts. To prevent Tether from freezing the stolen stablecoins, the attackers routed funds through the Tron and Ethereum networks and converted the USDT into TRX and ETH. The stolen assets were consolidated into a single wallet holding 45.9 million TRX, valued at approximately $15 million. Grinex, a Kyrgyzstan-registered exchange tied to Russia's domestic crypto-ruble ecosystem, attributed the breach to "foreign special services" and "foreign intelligence agencies." The platform is the successor to Garantex, a Moscow-based exchange sanctioned by the U.S. Treasury in 2022 for processing over $150 million in ransomware payments. After Garantex ceased operations in March 2025, liquidity and users migrated to Grinex, which other sources describe as a primary hub for the ruble-backed stablecoin A7A5, which Elliptic estimates has processed more than $100 billion in transactions. Two wallets linked to TokenSpot, another Kyrgyzstan-based exchange, transferred roughly $5,000 to the same consolidation address used in the Grinex heist.