Grinex Hacked: Exchange Loses Around $15M and Halts Operations
The incident affected not only Grinex but also TokenSpot, a platform tied to multi-billion-dollar flows within a sanctions evasion network. Both play a key role in a parallel financial system linked to Russia.
17.04.2026
139
8 min
0
Key Points
- Grinex, a sanctioned exchange believed to be a successor to Garantex and a major crypto financial channel tied to Russia, lost around $15 million in a cyberattack on April 16, 2026.
- Roughly 70 addresses were linked to the incident—about 16 more than Grinex publicly disclosed. All known stolen funds were converted into TRX via SunSwap and consolidated into a single TRON address.
- TokenSpot, believed to act as a front for Garantex, was also impacted. Two of its addresses sent funds to the same consolidation wallet used in the Grinex attack. Both were deactivated on April 15, suggesting a possible single attacker behind both incidents.
- The breach affected two exchanges that play a central role in a broader sanctions evasion network tied to Russia, which has processed hundreds of billions of dollars in transactions linked to state-aligned financial activity.
What Grinex and TokenSpot Said
Grinex published a list of 54 wallet addresses allegedly tied to the attacker and said it had shared the data with law enforcement. The company claimed the attack was carried out by “special services of unfriendly states,” framing it as part of a broader effort to undermine Russia’s financial sovereignty. These claims have not been independently verified.
| Addresses used to withdraw assets stolen from Grinex |
| TSuqrq4pGCNkzmZ9Yq1p8XVeYHW3LPjh1A |
| TX8LhoBChot2HjVpJG4jv9UzxzG2TtNB3e |
| TQgfunCuUFws4WGZab7kjxLWKUmJSPKGFm |
| TKE51wY1FmvbXrH4AteNgcJSVDguWni4HS |
| TMuUzSwgpvDJBpoqxsWtijrQX371iEn9sN |
| TEcwcZF11XXHbbGL2RPWdDd7YbixXYxoEY |
| TTs7ZAuCgYAcvWKWm7Qax8W3UWeitW9noB |
| TMkuWpAN4s5HZ8pTsGYzTRUGh5jWnjqW2i |
| TQiGHQRiBZA6Xd8UVuDT9VWohtgQdrRt39 |
| TTFNGrNQonnNfTMEU34xeij8g5Pqqn6FAm |
| TD8ZpRPU6SY4dUHkG2weVD6xtESWMsiF43 |
| TWRbS4vuGYScbbKdQxy6diESww11R3eXUs |
| TWoNQzehjEZj5QfAhvHmihR2LBo2s72czJ |
| TJZuAX4iVjaGB11ZWSCMW8E9mX35TM7jdr |
| TFb97xEjBBakbrMmpAqWAYMJFR68JjSM6e |
| TXJXsDNHsEqFvLpDL7qDiEYgxek1jdTfsF |
| TYiTE2J1L3dyVALo76aFYPSCBZdN35cjBa |
| THT9uMSBQqMy4Ad3YDtRrPw7PJjALKESHb |
| TNqBaiYGjVQbcZUuLHKyEgBgyvykccaFcG |
| TTAqByYH4pBhtuTYvWieFwXQTsCw9ZYoEe |
| TKa6trT8fzEmrsEV92SyAqtkddgbHM85hY |
| TYFm8uSf58nwRi86mF1RbKBtx6JJxnZPxs |
| TMKm7XicSmyUhTbqFJ5JbeDdAD7BY4F6mt |
| TWT7XvGWzgYtd95aQ7nWaYgkFXW5fjzUqH |
| TUk1mJ5jPD153NW39JnJzchKZZnbcVRryv |
| TReuvDX1Kg5JVuBWPcUYDKu6S1aX8EztEx |
| TRsHSPfo1ySHRyYSZPcxU9761CnDkwMAwN |
| TABP17Zh3jw1yxZPqQrP9iVnstiswoYgUN |
| TLWre9AKkJwQGU9ZHkLpMkXETvaNNLUXS6 |
| TF3sx3rJ1Vi6vxW2Wc9ZVYD3LBniHkneqs |
| TPscMWEbzetxb2uhyiQFTDSmYkkZBQXN8y |
| TMdyk7KKLSENUTwcAFdLB472wAgRPYeZF9 |
| TZCvmatmJ8xEagwEM3PoWYTTB3uTH8x5b1 |
| TQhptCXKutuoWJRcx2ShT7TtJhiYrwX3yi |
| TCvLs4Fze61oDeiixb7S85VCBj5fC377be |
| TEkvv6UbMoknC8wsqX2vTy2Pa7qYgQjaw8 |
| TC9nUeC76yEfGgs5koP29Tj3YU4m8Psd6G |
| TBUvPK5jEe9sJ5hi5N1S2qqfsZUGePDZ5X |
| TPKBSQB7JpwmEnU1GTyyfm5U9xpMkBNyEH |
| TTFJPmc6PsrMxdDX1TWNp1kD3kXUfSGqub |
| TWkGYUSGgCzQbk6VuQxenLEZMUqCor7HZ3 |
| TU6Gt77cKtpZ8vDzqMxJR1dEmpVUV5asi7 |
| TVCxU53phBXwz71zWU6dD5qUpAnd9oWVDm |
| TL5J16cRxrnz4THe1V9iNVQAw5QK9EdqSa |
| TG6qzN53Wgeqz4eKa8HNGSG9zraDUhD4mu |
| TWDYL2PJX4BdRJeRuvMwjbzuQG919VhpuG |
| TPGXc8u1CfkzNYGdxdKHXBTKf6ASZYEmdN |
| 0x029b4053413725f2302c7a26e4da86abae99c8c5 |
| 0xb1a635b3a7ee1e49ac4cf823d6d18fc17d846e19 |
| 0x8af578c15a7316ac053809A8E3DAdBFD51b1B870 |
| 0xed85fDea56202b886eF325E33b17d127d3679D64 |
| TA8vyBg93KXaiQXV22WWXTB9hz3caN81DE |
TokenSpot’s Telegram channel reported “technical maintenance” and a brief outage on April 15, followed by a full recovery announcement the next day. Blockchain data later identified two TokenSpot addresses that sent funds to the same consolidation wallet used in the Grinex incident, linking the two events.
Why the Tron blockchain became infrastructure for the shadow crypto economy
“Pig butchering” scams rely on Tron thanks to near-zero fees and transaction speeds of about 3 seconds. This allows criminals to move stolen funds through dozens of wallets before the victim even realizes the money is gone
What Blockchain Analysis Shows
Analysis identified around 70 addresses connected to the attack—significantly more than disclosed by Grinex. Most stolen assets were USDT on the TRON network.
The attacker converted the funds into TRX and consolidated them into a single wallet. At the time of writing, that address had received about 45.9 million TRX, equivalent to roughly $14.98 million.
Losses linked to TokenSpot were minimal—under $5,000—and were also sent to the same address.
Four Ethereum addresses were also tied to the incident. The purpose of those transactions remains under investigation.
Grinex: A Sanctioned Exchange with Russian Ties
Grinex was registered in Kyrgyzstan in December 2024, just weeks before an international law enforcement operation in March 2025 shut down Garantex—one of the highest-risk crypto exchanges globally.
Within days, Garantex-linked Telegram channels began promoting Grinex, offering “familiar functionality” and actively onboarding former users to recover frozen assets.
Which platforms help Russia evade sanctions: a complete list
We examine cryptocurrency platforms used for cross-border settlements that bypass sanctions. The report is based on blockchain analytics and reveals specific connections, transaction volumes, and operational infrastructure.
On August 14, 2025, OFAC sanctioned Grinex along with key figures behind Garantex and token issuer Old Vector. The exchange was described as a continuation of Garantex’s sanctions evasion infrastructure.
Before its shutdown, Garantex processed over $100 billion in transactions, with 82% linked to sanctioned entities despite being under OFAC sanctions since April 2022.
How Garantex splits business and what does AEXbit have to do with it
Russian-sanctioned crypto exchange Garantex (Grinex) has split its financial flows using third-party platforms
A key component of Grinex’s operations was A7A5, a ruble-backed stablecoin issued by Old Vector. Garantex wallets began shifting funds into A7A5 as early as January 2025, suggesting premeditated restructuring. Former users received A7A5-denominated credits tied to their frozen balances, which could be used on Grinex.
TokenSpot: A Regional Hub with Global Links
TokenSpot, also registered in Kyrgyzstan, processed over $4 billion in transactions between December 2023 and March 2026—far exceeding typical retail exchange volumes in the region.
Blockchain data suggests TokenSpot functions as a front for Garantex, based on overlapping transaction patterns and shared infrastructure.
Financial ties are direct: TokenSpot sent about $88 million to Garantex and Grinex, and received over $12 million back from Grinex. Its largest counterparty is A7, a sanctions evasion network forming the backbone of Russia’s parallel financial system. TokenSpot alone sent over $257.5 million to A7.
Its exposure goes beyond this ecosystem. Nearly $1 million was traced from an OFAC-sanctioned wallet linked to money laundering for the Houthis. That wallet is associated with Afghan businessmen based in Russia, reportedly involved in arms procurement and the trade of stolen Ukrainian grain.
Ruble-pegged stablecoin A7A5 under scrutiny: overview of the new EU sanctions package
EU authorities have expanded restrictive measures against the ruble-pegged stablecoin A7A5 and related infrastructure due to its use to circumvent anti-Russian sanctions
TokenSpot has also been linked to payments tied to the InfoLider operation—a pro-Russian influence campaign in Moldova, where participants were reportedly paid to promote narratives and take part in anti-government protests.
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter