Key Takeaways:
- Grinex halts operations after a state-level hack drains over 1 billion rubles in USDT from user wallets.
- The 2025 takeover of Garantex solidified Grinex as a primary target for ongoing U.S. sanctions.
- Law enforcement is reviewing logs from 54 wallets as Grinex seeks to recover 13.74 million USDT in stolen TRX.
Allegations of State-Sponsored Interference
Grinex, a crypto-ruble exchange serving Russian businesses and individual investors, has suspended operations after a sophisticated cyberattack. The breach resulted in the theft of digital assets valued at approximately $13.74 million (more than 1 billion rubles) in the stablecoin USDT.
The exchange, which remains under U.S. sanctions, claims the “unprecedented” hack suggests the involvement of foreign intelligence agencies from “hostile states.”
According to preliminary forensic data provided by the exchange, the attackers’ digital footprint indicates a level of coordination typically reserved for state-level actors. A spokesperson for the exchange said the attack was a deliberate attempt to destabilize the domestic financial sector and harm Russia’s financial sovereignty.
“From the very beginning, the exchange’s infrastructure has been subject to attacks,” the spokesperson said. “The exchange was placed on sanctions lists, crypto wallets were targeted, and transactions were blocked. Today, attempts to destabilize the domestic financial sector have reached a new level — the direct theft of assets.”
Grinex remains a target of U.S. and international sanctions intended to isolate the exchange from the global financial system. The company gained prominence in 2025 after absorbing the client base and infrastructure of Garantex, another exchange shuttered by Western regulatory pressure.
According to Grinex, it was involved in the recovery and return of 2.5 billion rubles worth of digital assets previously frozen by Tether, the issuer of the USDT stablecoin. The exchange said the stolen funds were drained from dozens of individual wallets, converted into the cryptocurrency TRX, and consolidated into a single destination address.
The exchange has filed a formal criminal complaint and handed over technical logs and digital evidence to law enforcement. There is no projected date for the resumption of services or a formal plan for user reimbursement. While the exchange remains offline, it maintains that these “hostile actions” are part of a broader geopolitical effort to restrict digital asset transfers within the Commonwealth of Independent States.
