Grinex halts trading after $15M hack, blames ‘hostile states’

Grinex, a Kyrgyzstan-registered cryptocurrency exchange, halted trading and withdrawals on Thursday after a cyberattack that drained roughly $15 million in USDT from wallets linked to the platform. The exchange posted a statement saying more than 1 billion rubles had been stolen and temporarily suspended access while it investigates and secures its wallet infrastructure.

In its statement, Grinex said the operation appeared coordinated “with the aim of directly harming Russia's financial sovereignty” and claimed the attack required “resources and technologies available exclusively” to what it called hostile state actors. The exchange did not name any countries and gave no timetable for restoring services.

Blockchain analytics firm Elliptic traced about $15 million in USDT from addresses tied to Grinex. The firm reported the funds were routed through addresses on the Tron and Ethereum networks before being converted into TRX and ETH. Elliptic said those conversions likely reduced the risk of the stolen USDT being frozen, since Tether has the technical ability to blacklist USDT linked to illicit activity.

Grinex identified a wallet with a remaining balance of roughly 45.9 million TRX, valued at just over $15 million, indicating most assets were consolidated after the initial transfers. The exchange has not published details on how the attackers gained access to its wallet infrastructure.

Grinex has grown into a key venue for ruble-to-crypto trading after the shutdown last year of a sanctioned Russian-linked exchange. The platform is a primary hub for a ruble-backed stablecoin known as A7A5, which analytics firms estimate has processed large volumes of transactions.

Authorities and blockchain monitors are tracking on-chain movements and any further disclosures from Grinex to determine the full scope of the breach and whether additional customer funds were affected.