Kyrgyzstan Crypto Exchange Grinex Hit by $15M Hack, Exposing Russia Sanctions Evasion Network

Gate News message, April 17 — A cyberattack on Grinex, a Kyrgyzstan-based cryptocurrency exchange under US sanctions, has exposed a shadow financial network allegedly used to circumvent Western restrictions on Russia. Hackers stole approximately $15 million from Grinex in the attack, which also appears to have targeted TokenSpot, a closely linked platform. Both exchanges showed overlapping wallet activity and simultaneous downtime, suggesting a single attacker targeted an interconnected network.

Grinex was incorporated in Kyrgyzstan in December 2024, weeks before US authorities dismantled Garantex, a Russia-linked exchange sanctioned by the US Treasury's Office of Foreign Assets Control (OFAC) since April 2022. According to OFAC, which sanctioned Grinex in August 2025, the exchange was a direct continuation of Garantex with the same owners, clients, and infrastructure. When Garantex was shut down, Telegram channels affiliated with it immediately directed users to migrate their assets to Grinex. Before its takedown, Garantex had processed over $100 billion in transactions despite being under sanctions, with 82% of its volume linked to sanctioned entities globally.

Blockchain analysts identified more than 70 wallets linked to the theft, exceeding the number Grinex publicly disclosed. Stolen funds, mostly USDT on the TRON network, were swapped into ETH and TRX via the SunSwap decentralized exchange before being routed to a single consolidation address. TokenSpot was found routing funds to the same wallet while briefly going offline, pointing to shared infrastructure. Trading activity on Grinex also involved A7A5, a ruble-backed stablecoin, raising additional concerns about the nature of transactions processed.

Grinex blamed the attack on what it called the special services of unfriendly states, describing it as a systematic attempt to destabilize Russia's domestic financial sector and framing the hack as an act of financial warfare rather than a criminal breach. Blockchain intelligence firm TRM Labs said it had not verified that claim.