Grinex, a sanctioned Russia‑linked crypto exchange, announced Thursday it had been targeted in a large-scale cyberattack that led to the theft of more than one billion rubles (approximately $13.7 million) from user accounts. The company claimed the incident may have been linked to foreign intelligence agencies.
In an official statement, the exchange stated that technical evidence points to an unusually high level of sophistication, suggesting access to capabilities typically limited to state-backed entities. Early assessments indicate the attack was organized to inflict direct damage on Russia’s financial system.
Grinex has faced ongoing challenges since its inception, including sanctions, targeted wallet monitoring, and blocked transactions aimed at limiting crypto transfers beyond the CIS, according to the exchange.
The breach is described as a new phase of destabilization involving coordinated cyber theft targeting Russian users.
As a result, Grinex has suspended its services and provided all collected information to law enforcement. Relevant authorities have been alerted and a criminal investigation is now underway.
The Garantex backstory
To understand why Grinex matters at all, it is important to first consider the background of Garantex. That exchange, sanctioned by OFAC in April 2022, became one of the most active conduits for Russian sanctions evasion and ransomware laundering over its six-year run.
From 2019 through its disruption by international law enforcement in March 2025, Garantex processed $96 billion in transactions. When authorities shut it down, they froze $26 million in assets, a rounding error relative to the volume that had already flowed through.
Following the takedown of Garantex by global law enforcement, investigators from TRM Labs reported that a new exchange, Grinex, had been identified as a likely successor.
TRM Labs’ analysis shows that Garantex had been heavily involved in sanctions evasion and illicit finance, processing massive transaction volumes despite OFAC restrictions. Prior to its shutdown, it began transferring assets into A7A5, a ruble-linked stablecoin used across the Ethereum and TRON networks, which may have been designed to help preserve liquidity and bypass enforcement actions.
In the aftermath, Grinex was promoted by Garantex-linked Telegram communities and showed strong operational similarities, including interface design and user migration patterns.
