Grinex hacked, suspends trading; $15M pause, with the blame pointing to a “hostile nation”

Grinex, a Kyrgyzstan-registered exchange with deep ties to the Russian crypto market, announced on Thursday that it would suspend withdrawals and trading after its wallet infrastructure was hit by a “large-scale cyberattack.” Blockchain analytics firm Elliptic estimates the attack stole about $15 million in USDT. In an official statement on its website, Grinex characterized the incident as organized crime that harms financial sovereignty, and said the attack techniques have the hallmarks of “hostile nation actor” capabilities.

On-chain flow of the stolen funds: USDT rapidly shifts to TRX and ETH to avoid Tether freezing

(Source: Grinex)

After being stolen, the USDT was quickly routed through intermediary addresses on the Tron and Ethereum networks and ultimately converted into TRX and ETH. Elliptic noted that the purpose of this conversion operation is likely to reduce the risk of funds being frozen by Tether—Tether has the technical capability to blacklist USDT addresses associated with illegal activity, preventing them from being used in subsequent circulation.

Grinex’s own disclosed on-chain data also confirms this flow: a related wallet identified by the exchange shows a balance of about 459 million TRX, worth more than $15 million, suggesting that the stolen assets had already been consolidated into a single address after the initial transfer.

The successor to Garantex: Grinex’s identity background and market position

It is widely believed in the market that Grinex is the successor to the sanctioned exchange Garantex. Garantex was sanctioned and shut down last year after U.S. authorities determined that it facilitated the flow of hundreds of millions of dollars in illegal funds related to ransomware and dark web markets. Within days after Garantex’s shutdown, its liquidity and users quickly migrated to alternative platforms such as Grinex.

Grinex key identity data

Exchange registration location: Kyrgyzstan, deeply linked to the Russian market

Relationship to the prior entity: widely recognized as the successor platform of the sanctioned Garantex

Market role: the primary venue for ruble-to-crypto trading

A7A5 stablecoin hub: the core circulation center for the ruble-backed stablecoin A7A5

Total A7A5 transaction volume: Elliptic estimates it has exceeded $100 billion

FAQ

Why is Grinex considered a successor to Garantex?

Within a few days after Garantex shut down, its users and liquidity clearly migrated to platforms such as Grinex. Grinex then took over from Garantex to become a core crypto trading venue for the Russian market, particularly by assuming the trading and circulation functions for ruble-to-crypto pairs and the stablecoin A7A5 backed by rubles. Its market positioning is highly aligned with Garantex.

Why would the stolen USDT be converted into TRX and ETH?

Tether has the technical capability to blacklist USDT addresses involved in illegal activity; once frozen, the USDT would be unable to make any transfers or trades. Converting USDT into TRX or ETH can effectively bypass this freezing mechanism because Tether’s blacklist feature does not apply to other cryptocurrencies, allowing the stolen funds to continue circulating.

Grinex calls its mastermind a “hostile nation”—is this allegation credible?

Grinex’s statement frames the attack as an organized action targeting Russia’s financial sovereignty, but it provides no specific technical attribution evidence. In the absence of a detailed technical analysis report, such allegations are difficult to independently verify. The term “hostile nation” currently has more of a political narrative character rather than being based on publicly available technical traceability conclusions.