Grinex Crypto Exchange Shuts Down After $13 Million Hack Blamed on Foreign Spies

Grinex went dark after losing more than $13 million in a cyberattack the Russian exchange says came from foreign intelligence services. All trading stopped. Withdrawals froze. The Moscow City office quit issuing permits.

The stolen funds totaled over 1 billion rubles. Attackers converted everything into TRX cryptocurrency and moved it to one address, according to Grinex. That wallet now holds around 45.9 million TRX, worth roughly $15 million. The exchange called this a targeted strike against Russia’s financial system, not just a random hack. Before this, Grinex had dealt with sanctions and transaction blocks outside the Commonwealth of Independent States. But nobody stole assets until now.

Criminal Investigation Begins

Grinex contacted law enforcement to start criminal proceedings. The company handed over all technical details about the attack to investigators. Right now, efforts center on tracking the stolen assets and figuring out the legal mess. The exchange insists it’s not shutting down permanently, despite the breach. Operations remain suspended while the investigation plays out.

The company maintains this wasn’t some ordinary crypto theft. They’re pointing fingers at foreign state agencies, claiming the sophistication and resources involved prove government involvement. That’s a pretty bold claim. But Grinex says the attack’s technical complexity backs it up.

Garantex Connection Raises Questions

People are asking hard questions about Grinex’s ties to Garantex. That platform got sanctioned and closed in March 2025. TRM Labs found something interesting. Grinex popped up less than two weeks after Garantex shut down. And there were liquidity transfers in ruble stablecoin A7A5 from Garantex’s wallets straight to Grinex.

Investigators see the platforms’ infrastructures as basically identical. Looks like a simple rebranding rather than a new entity. Same wallet clusters. Same transfer routes. Minimal changes beyond the name. So when Garantex faced sanctions, did management just slap a new label on everything and keep going? That’s what analysts think happened.

The timing seems too convenient. Garantex closes. Grinex opens. Money flows between them. The technical setup matches. It’s not complicated math.

Grinex representatives said the cyberattack made existing pressures worse. They’d already dealt with sanctions and special wallet labeling that hurt operations beyond the CIS region. Now this. The exchange faces challenges in maintaining service continuity, and that’s putting it mildly.

International regulators and financial analysts are watching closely now. The exchange’s emergence right after Garantex’s closure raises obvious questions about who’s really running things and whether operational practices changed at all. Probably not much, based on the evidence. Analysts have drawn connections to Crypto holders fear for their safety amid evolving conditions.

Despite everything falling apart, Grinex wants to project resilience. They’re working with authorities to pursue legal action and recover stolen funds. The company emphasizes its commitment to overcoming obstacles from the breach. Whether users believe that is another story.

Crypto exchanges operating under international scrutiny face serious challenges, and Grinex’s situation shows how fast things can spiral. The Garantex connection drew attention from financial regulators and analytical agencies pretty much immediately. Suspicions run high that Grinex might be Garantex 2.0 rather than something genuinely separate.

Technical details of the attack became a focal point for investigators. Grinex shared information about the breach, focusing on how stolen assets got converted into TRX cryptocurrency. That conversion and the subsequent transfer to a single address help explain the theft’s mechanics. It also supports Grinex’s claim about foreign entities orchestrating the attack, though that’s still unproven.

The exchange’s response included a detailed examination of the cyberattack’s technical aspects. Grinex wants to uncover the full scope of what happened. They’ve emphasized that the resources and sophistication involved suggest foreign government entities intervened. That assertion points to a larger geopolitical context that may have motivated the attack. Or it’s a convenient excuse for inadequate security. Hard to say.

The temporary suspension disrupted services completely. Users can’t access accounts or conduct transactions. Grinex says this measure safeguards the platform and user assets while investigations continue. The company acknowledged this incident represents a significant escalation from previous pressures like sanctions and transaction blocks, which they’d managed to navigate until now.

Amid the uncertainties, Grinex’s management stays focused on legal recourse and asset recovery. The exchange’s determination to continue operations reflects its commitment to restoring normalcy and maintaining user trust, at least according to their statements. As the investigation moves forward, Grinex’s ability to address the breach’s fallout will be monitored closely by stakeholders and regulatory bodies.

The 45.9 million TRX sitting in that single wallet represents the clearest evidence of the theft. Tracking those funds became priority number one for investigators. TRX transactions leave traces, but moving crypto across borders and through mixers can obscure trails fast. Whether authorities can recover anything remains unclear. Industry observers have noted parallels with CoW Swap Shuts Down After Front-End in recent weeks.

Grinex’s Moscow City office stopping permit issuance signals deeper operational problems beyond just the hack. That’s an administrative function separate from trading operations. When that shuts down, it suggests the company’s facing systemic issues, not just a temporary security breach.

The exchange’s claim about foreign state involvement adds a geopolitical layer to what might otherwise be a straightforward crypto theft. Russian exchanges have operated in a complex regulatory environment, dealing with both domestic oversight and international sanctions. Grinex’s assertion that this attack targeted Russia’s financial system broadly, not just their platform, positions the incident as something bigger than one company’s security failure.

But the Garantex connection complicates that narrative. If Grinex is basically Garantex with a new coat of paint, then the attack might have targeted a sanctioned entity that tried to evade consequences through rebranding. That changes the story significantly.

Users left unable to access funds face an uncertain wait. No timeline exists for when operations might resume or whether withdrawals will eventually process. The exchange’s insistence that it won’t cease operations permanently offers little comfort to people who can’t touch their money right now.