Threat Intelligence Critical

Grinex Crypto Exchange Hacked: $13.7M Stolen, Operations Suspended

CS
CyberSpit
April 17, 2026 38 min read

Grinex, a sanctioned cryptocurrency exchange with deep ties to Russia, suspended all operations on April 17, 2026 after attackers drained approximately $13.7 million from 54 customer wallets. Blockchain intelligence firms Elliptic and TRM Labs have been tracking Grinex for months as the direct operational successor to Garantex—a Russia-linked exchange dismantled by international law enforcement in March 2025. The breach is not just a theft. It is a flashpoint in the geopolitics of crypto-enabled sanctions evasion.

At roughly 12:00 UTC on Wednesday, April 16, 2026, attackers moved against Grinex's wallet infrastructure with a level of precision that the exchange itself described as unprecedented. By the time the platform posted to Telegram confirming a suspension of all trading and withdrawals, 54 wallets had been emptied, primarily of USDT held on the TRON blockchain. Users attempting to access funds found accounts locked while the company assessed the full scope of the damage.

What Happened

Grinex disclosed the breach through its Telegram channel and an official statement on its website. The exchange confirmed that over 1 billion rubles—approximately $13.7 million at current rates—had been stolen directly from user wallets. In its statement, Grinex declared it had been forced to suspend operations and confirmed that a criminal complaint had been filed at the location of the infrastructure. The platform published a list of the 54 affected wallet addresses along with the drained amounts, and urged blockchain investigators to assist in tracing the stolen assets.

According to Elliptic, the stolen USDT was routed to addresses on both the TRON and Ethereum blockchains almost immediately after the theft. The funds were then converted into TRX and ETH through the SunSwap decentralized trading protocol. The conversion was deliberate: by swapping USDT into native blockchain assets, the attackers avoided the risk of Tether issuing a freeze on the stolen stablecoin balances—a countermeasure Tether has used in previous high-profile thefts. Elliptic described Grinex as having been one of the largest venues for exchanging Russian rubles into crypto assets, a designation that puts the scale of the hack in context: this was not a fringe exchange but the primary liquid market for ruble-denominated cryptocurrency in the post-Garantex landscape. Elliptic placed the total outgoing volume from the affected accounts at approximately $15 million when accounting for that conversion. That figure is higher than Grinex's own stated loss of roughly $13.1–$13.7 million, a discrepancy that appears across nearly all reporting on this incident and deserves a plain explanation: Grinex denominated its disclosure in rubles and converted at a single exchange rate, while Elliptic and TRM Labs tracked total USDT outflows on-chain across all associated wallet clusters, including addresses Grinex did not publicly name. The two numbers measure different things. Neither is wrong.

How the Stolen Funds Moved — April 16, 2026 Based on Elliptic & TRM Labs on-chain analysis
GRINEX 54 Wallets ~$15M USDT T1657 TRON ADDRS USDT → TRX via SunSwap ETH ADDRS USDT → ETH via SunSwap Tether freeze avoided by converting away from USDT ETH destination under investigation T1027 / T1070 CONSOLIDATION 45.9M TRX ~$14.98M Single TRON address Next steps unknown UNKNOWN Mixers / DEX? Monitoring ongoing TokenSpot: 2 wallets → same consolidation addr <$5,000 taken (probe or limited exposure)
Incident Summary
Date of Theft
April 16, 2026
~12:00 UTC
Wallets Drained
54 / ~70 on-chain
Self-Reported Loss
$13.7M
On-Chain Outflow
~$15M
Assets Stolen
USDT (TRON)
Converted To
TRX & ETH
via SunSwap
Exchange Status
Suspended
Action Taken
Criminal complaint filed

TRM Labs went further than Grinex's own disclosure. The firm identified approximately 70 addresses connected to the incident—roughly 16 more than Grinex publicly reported. All known stolen funds were converted to TRX via SunSwap and consolidated into a single TRON address. At the time of initial analysis, that address held approximately 45.9 million TRX, equivalent to roughly $14.98 million at prevailing rates. Four Ethereum addresses are also associated with the incident; the destination of funds from those addresses remains under active investigation.

The attack did not stop at Grinex. TRM Labs identified a simultaneous breach at TokenSpot, a Kyrgyzstan-registered exchange that the firm assesses is a likely Garantex front company based on on-chain analysis. Two TokenSpot wallet addresses routed funds to the same consolidation address used in the Grinex attack. TokenSpot's Telegram channel had announced "technical work" and a brief platform outage on April 15—the day before the Grinex theft—before confirming the following day that full services had resumed. The amount taken from TokenSpot was less than $5,000, suggesting the attacker either probed the exchange or that TokenSpot's exposure to the target wallet cluster was limited. The shared consolidation address is the forensic link connecting both incidents to a single actor.

Grinex did not disclose the technical vector used to access the wallets. The platform offered no detail on whether the breach involved a compromised private key, an insider, a hot wallet vulnerability, or another attack path. What it did publish was a public call for blockchain analysts and law enforcement to assist in tracking the funds—and a political attribution that immediately drew scrutiny.

From Garantex to Grinex: The Sanctions Evasion Pipeline

To understand the full significance of the Grinex breach, the exchange's origin is essential context. Garantex was a Russia-linked cryptocurrency exchange first sanctioned by OFAC in April 2022 for processing transactions tied to darknet markets and ransomware operations including Hydra, Conti, Black Basta, LockBit, Ryuk, and NetWalker. From 2019 through its operational disruption in March 2025, Garantex processed an estimated $96 billion in total cryptocurrency transactions, with 82 percent of that volume linked to sanctioned entities globally, according to TRM Labs. Before its 2025 takedown, Garantex had processed over $100 billion since its founding despite being under OFAC sanctions since April 2022.

A note on the Garantex transaction figures: the $96 billion figure cited by TRM Labs reflects tracked transaction volume from 2019 through the March 2025 disruption. Figures referenced elsewhere—including Chainalysis and court documents—place total Garantex processing at "over $100 billion," which is consistent: the higher figure includes activity through the later enforcement action date and rounds to the nearest benchmark. This article uses TRM Labs' more granular figure of $96 billion for the 2019–2025 period, and notes that both figures describe the same underlying operation, measured to slightly different endpoints.

Several details about Garantex's operational history are worth emphasizing because they are rarely compiled in a single place. Garantex was originally incorporated in Estonia, where it operated as Garantex Europe OÜ under a virtual currency services license issued November 27, 2020. The Estonian Financial Intelligence Unit launched an on-site inspection in December 2021 after flagging the entity for processing more than €5 billion per year—an extraordinary volume for what was supposed to be a compliant exchange. The inspection revealed what the FIU described as serious and systematic KYC and AML deficiencies. The license ran for just 15 months before Garantex Europe surrendered it on February 24, 2022—the day before Russia invaded Ukraine—one day ahead of what would have been a formal revocation. That same day, OFAC sanctioned Garantex under Executive Order 14024. Rather than curtailing operations, Garantex moved its primary infrastructure to Federation Tower in Moscow—the same building that had housed the previously-sanctioned SUEX and CHATEX exchanges, a pattern of concentration that U.S. Treasury noted explicitly in its April 2022 sanctions announcement.

After the 2022 OFAC designation, Garantex did not shrink. Its daily trading volume grew more than 1,000 percent in the following three years—from approximately $11 million on March 1, 2022, to $121.6 million on March 1, 2025, per CoinPaprika data. The technical mechanism that allowed it to operate despite sanctions was documented in the DOJ indictment: Garantex moved its operational cryptocurrency wallets to different virtual addresses on a daily basis, making it structurally difficult for U.S.-based exchanges to identify and block transactions with Garantex accounts. By early 2023, Besciokov and co-conspirators had redesigned the exchange's operations specifically to induce U.S. businesses to transact with Garantex without knowing they were doing so—a technique Elliptic noted had previously been used by the darknet market AlphaBay. The U.S. Secret Service separately obtained backup copies of Garantex's servers, including complete customer and accounting databases, before the March 2025 seizure, meaning the full transaction history is available to prosecutors regardless of what was destroyed in the takedown.

One of the more revealing documented cases of Garantex's client base is Ekaterina Zhdanova, a Russian national sanctioned by OFAC in November 2023. Zhdanova used Garantex to convert over $2 million in Bitcoin to Tether (USDT) as part of a broader money laundering operation that included assisting a Russian oligarch in moving approximately $100 million to the UAE, running a UAE-based tax residency service that provided identity documents and bank accounts to sanctioned Russians, and operating a luxury watch company as a vehicle for trade-based money laundering. The Zhdanova case illustrates that Garantex served not only ransomware gangs and darknet markets but also the high-end oligarch wealth-flight market—a use case that received comparatively little attention in Western coverage of the exchange.

On March 6, 2025, the U.S. Secret Service—working with German and Finnish law enforcement—seized Garantex's primary web domain and froze over $26 million in cryptocurrency. A note on this figure: Crystal Intelligence, another blockchain analytics firm, cites $28 million in some of its reporting on the same event. The $26 million figure appears in official U.S. government statements and is used by Elliptic and TRM Labs; the higher figure may reflect rounding or a slightly different accounting of the total stablecoin freeze. This article uses the $26 million figure consistent with official government reporting. The following day, the Department of Justice unsealed indictments against Garantex executives Aleksandr Mira Serda and Aleksej Besciokov. The indictment had been filed under seal in the U.S. District Court for the Eastern District of Virginia on February 27, 2025—nine days before the domain seizure—giving investigators an operational window to execute the takedown before the defendants could react.

Besciokov, 46, a Lithuanian national residing in Russia, was arrested at 4:00 PM local time on March 11, 2025, in the coastal municipality of Varkala in the Indian state of Kerala, where he was vacationing with his family. Reports indicated he was preparing to leave India. The Kerala state police, acting on a warrant issued by the Patiala House Court in New Delhi under India's Extradition Act of 1962, detained him in a joint operation with the Central Bureau of Investigation (CBI). The DOJ's indictment identifies Besciokov by his hacker aliases "proforg" and "iram." The "proforg" handle corresponds to the administrator of udaff, a 20-year-old Russian-language internet forum—a biographical detail that predates Garantex by well over a decade and that the indictment included to establish identity. Besciokov faces up to 45 years in prison if convicted: 20 years for money laundering conspiracy, 20 years for violating the International Emergency Economic Powers Act, and 5 years for operating an unlicensed money transmitting business.

Nationality
Lithuanian — Russian resident
Born
January 21, 1979 (age 46)
Aliases
"proforg", "iram" — "proforg" links to admin of the 20-year-old Russian forum udaff
Role
Primary technical administrator. Obtained and maintained Garantex infrastructure; reviewed and approved all transactions including those linked to Lazarus Group and ransomware gangs
Arrested
March 11, 2025 at 4:00 PM, Varkala, Kerala, India. Warrant issued by Patiala House Court, New Delhi. Was reportedly preparing to leave the country.
Charges
Money laundering conspiracy (20 yr max), IEEPA violation (20 yr), unlicensed money transmitting (5 yr) — 45 years total maximum exposure
Status
In custody in India, extradition to U.S. Eastern District of Virginia pending. On U.S. Secret Service Most Wanted list.
Former name
Aleksandr Ntifo-Siaw (per DOJ indictment)
Nationality
Russian; UAE resident
Born
May 31, 1984 (age 41)
Role
Co-founder and CCO. Managed business operations, customer relationships, and commercial development. Garantex provided false information to Russian law enforcement when asked about his personal account.
Charges
Money laundering conspiracy (20 yr max)
Status
At large, believed in UAE. State Department reward: up to $5 million for information leading to arrest or conviction.

His co-defendant, Aleksandr Mira Serda, 41, was previously known as Aleksandr Ntifo-Siaw—a name change documented in the DOJ indictment. A Russian national residing in the United Arab Emirates, Mira Serda served as Garantex's co-founder and chief commercial officer. He remains at large. The State Department's $5 million reward offer targets him specifically. Court documents contain a detail that reveals how far the deception extended: when Russian law enforcement requested records on an account registered to Mira Serda himself, Garantex falsely claimed the account was not verified—even while disclosing identifying information for other accounts requested in the same inquiry. The exchange deceived its own country's law enforcement to protect its own co-founder's identity.

Court documents from that proceeding also named North Korea's Lazarus Group among Garantex's clientele—the same group the FBI confirmed responsible for the $1.5 billion Bybit hack in February 2025, the largest cryptocurrency theft on record. The Garantex-Lazarus connection is specific: Elliptic documented that over $30 million from the $100 million Harmony Horizon Bridge hack was routed through Garantex in February 2023, providing a precise forensic example of how North Korea's cryptocurrency laundering operation used the Moscow-based exchange as a conversion and obfuscation layer.

The day before the domain seizure, on March 5, 2025, Tether froze approximately 2.5 billion rubles (roughly $28 million) in USDT held in Garantex-associated wallets. Garantex's response on Telegram was immediate and telling: the exchange told users that all USDT in Russian wallets is now under threat and announced a temporary halt to all withdrawals. The statement—intended as a warning to users—inadvertently confirmed for the broader market that Tether's unilateral freeze capability represented the single most effective tool used against the exchange before the formal seizure. It was Tether's action, not a law enforcement directive, that first stopped Garantex withdrawals.

Swiss blockchain analytics firm Global Ledger's on-chain forensics document exactly how the Garantex-to-Grinex fund transfer worked. Between February 8 and March 11, 2025, Garantex transferred batches totaling billions of A7A5 tokens to the staging address TFwjPScaJRCbSWVAywE1S1WgaUgSnyYUbD. On March 4, that same wallet also received stablecoins from Tether-blocked addresses. On March 5, more than 4.5 billion A7A5 were withdrawn and routed through a series of disposable one-time-use accounts before landing at TJkBr9TZ1xBeJoF7RNWqyEMbYqVJJ6fXXHR. Those funds were then sent to the contract address TML1DbrPXYDDDwatGxw66iEwECnXCG54uJy, which received over 5 billion A7A5. Within ten minutes, 4.4 billion A7A5 were burned and reissued to OFAC-labeled address TNDjh6WGLYyWmkh8vfu42bXVHUqFNQ3rDq—a burn-and-reissue step Global Ledger assessed was designed to sever the direct on-chain link to Garantex. From that address, another chain of disposable wallets delivered the funds to Grinex's confirmed hot wallet at TGckaiamj5NzaYx6Qp6Zu7kahuHArzUo. The gas to fund that intermediary chain came from a large Asian centralized exchange that Garantex had been actively using for withdrawals and liquidity inflows.

The public-facing response from Garantex leadership was equally revealing. Sergey Mendeleev, one of Garantex's original founders, posted on Telegram announcing the creation of Grinex and claiming any similarities between the two exchanges were coincidental—a statement widely noted for the two laughing emojis he appended to it. Meanwhile, Garantex users reported physically visiting Garantex offices in Europe and the Middle East and transferring crypto balances directly from Garantex to Grinex with the assistance of Garantex managers, according to Global Ledger.

The takedown did not stop the network. Kyrgyz government records reviewed by TRM Labs show that Grinex was incorporated on December 23, 2024—approximately ten weeks before the Garantex seizure—by an individual named Duulat-eldar Sagynbeki Subankulov, who had no known prior history in the exchange business; TRM Labs has noted he may have been a professional gamer prior to appearing as Grinex's registrant. Within days of the March 2025 disruption, Telegram channels affiliated with Garantex began promoting Grinex as a platform offering familiar functionality. The two exchanges share near-identical interfaces, operational structures, and clientele. Garantex customer deposits migrated to Grinex, with on-chain data showing funds moving through one-time-use wallets before appearing in Grinex accounts.

It is worth noting that Grinex has consistently and officially denied any connection to Garantex. The exchange has publicly maintained that any similarities between the two platforms are coincidental, and it has disputed the legal characterization of itself as a Garantex successor. That denial is a matter of record. It is also a matter of record that OFAC, the UK's OFSI, the EU, and multiple independent blockchain intelligence firms—including Elliptic, TRM Labs, Global Ledger, and Crystal Intelligence—have each independently concluded, through on-chain forensics, that the operational, financial, and personnel overlap between Garantex and Grinex is extensive. When OFAC designated Grinex in August 2025, it did so under Executive Order 13694 on the basis that Grinex was owned or controlled by Garantex and actively continuing its operations. Grinex's denial is published here for completeness and accuracy; the legal and blockchain-forensic record points in a single direction, and this article presents Grinex as a Garantex successor on that basis.

TRM Labs assessed that Garantex leadership had a contingency plan prepared well in advance and moved quickly to activate it once the enforcement action landed.

On August 14, 2025, OFAC formally sanctioned Grinex under Executive Order 13694, designating it as an entity owned or controlled by Garantex and actively continuing Garantex's operations. Notably, the Treasury's own press release records that Grinex's promotional materials stated that the exchange was formed in response to the sanctions and asset freezes that affected Garantex—an unusually candid self-description from an entity claiming no connection to its predecessor. The same action sanctioned Garantex co-owners Pavel Karavatsky and Aleksandr Mira Serda, co-founder Sergey Mendeleev, and A7A5 issuer Old Vector. The UK's Office of Financial Sanctions Implementation followed on August 20, 2025, sanctioning Grinex alongside affiliated Kyrgyzstani company CJSC Tengricoin and other individuals tied to the network. The European Union applied its own sanctions in two stages: Garantex was designated in March 2025, and the EU's 19th sanctions package, adopted October 23, 2025 with effect from November 25, 2025, explicitly banned all transactions involving A7A5 and designated its affiliated entities, describing the stablecoin as "a prominent tool for financing activities supporting the war of aggression." The State Department announced reward offers of up to $5 million for information leading to the arrest of Mira Serda and up to $1 million for other key Garantex leaders.

The A7A5 Stablecoin and the TokenSpot Network

At the center of the Garantex-to-Grinex transition is the A7A5 token, a ruble-backed stablecoin issued by Kyrgyzstani company Old Vector LLC—itself sanctioned by OFAC in August 2025. Old Vector is registered at a residential building in Bishkek, the same address linked to several additional shell companies, including Trust Corporation, which was registered there on the same day. A7A5 is backed by ruble deposits held at Promsvyazbank (PSB), a Russian state bank already subject to sanctions across multiple jurisdictions. The token operates on both the TRON and Ethereum blockchains and was engineered specifically to allow Garantex customers to recover assets frozen during the March 2025 law enforcement action.

The scale of A7A5 activity is significant by any measure—though the specific figures cited across outlets vary depending on which firm ran the analysis and through which date. Chainalysis reported that in 2025 alone, A7A5 facilitated over $93.3 billion in transactions within its first year of operation, making it a central driver of the record $154 billion in illicit crypto activity that year. TRM Labs, measuring stablecoin flows specifically, tracked approximately $72 billion tied to A7A5 within the broader sanctions evasion ecosystem. Elliptic reported the token crossing $100 billion in cumulative transaction volume by early 2026. These figures are not mutually contradictory: Chainalysis measured 2025 transaction volume within the first operational year; TRM Labs focused on stablecoin-specific flows within a defined sanctions-evasion subset; and Elliptic's $100 billion figure is a cumulative total through January 2026. This article uses the $100 billion cumulative figure as the most current available benchmark, and cites the Chainalysis 2026 Crime Report's $93.3 billion figure for the 2025 calendar year. Elliptic separately reported the token processing over $1 billion per day at peak activity. Through July 2025, Chainalysis tracked more than $51 billion in A7A5 trading volume. A7A5 is tied to A7 LLC, a Russian firm owned in part by sanctioned Moldovan oligarch Ilan Shor—a fugitive wanted for fraud and election interference in Moldova—and connected to Promsvyazbank. On-chain analysis by TRM Labs identified the precise on-chain link: OFAC-labeled Garantex wallet TNDjh6WGLYyWmkh8vfu42bXVHUqFNQ3rDq began moving funds into A7A5 as early as January 2025, weeks before the Garantex seizure, indicating foreknowledge of impending enforcement.

A note on A7A5's launch date: sources describe it differently. Elliptic and TRM Labs identify January 2025 as the point when Garantex wallets began moving funds into A7A5, suggesting operational use began that month. Chainalysis describes A7A5 as having launched "in February 2025." A separate source references "mid-2024." The most likely resolution is that A7A5's underlying token contract and issuer infrastructure were developed in late 2024 or early 2025, that Garantex wallets began interacting with it in January 2025 in preparation for the enforcement action, and that the stablecoin became publicly available and widely traded from approximately February 2025 onward. This article uses January 2025 as the date Garantex first moved funds into A7A5, per TRM Labs on-chain analysis, which is the most forensically specific data point available.

A7A5 trading occurs predominantly on weekdays—a pattern consistent with business-to-business settlement rather than retail use. Grinex served as the primary platform for A7A5 trades. A secondary exchange called Meer, whose website domain was registered on December 9, 2024—contemporaneous with Grinex and A7A5—was among the first to list the token and shares the same spending heuristics and trading interface as the broader Garantex–Grinex network. Meer experienced a pronounced surge in volume following the March 2025 Garantex disruption, consistent with it serving as a parallel channel for the same flows.

TokenSpot, the Kyrgyzstan-based exchange simultaneously targeted in the April 16 attack, demonstrates the network's reach beyond simple sanctions evasion. The platform's on-chain financial ties to the broader Garantex network are direct: TokenSpot transferred a combined $88 million to Garantex and Grinex and received over $12 million back from Grinex, according to TRM Labs. Its largest single counterparty is the A7 sanctions evasion network, to which TokenSpot sent over $257.5 million. TRM Labs traced nearly $1 million received by TokenSpot addresses from a wallet OFAC had sanctioned for laundering funds on behalf of the Houthis—a wallet linked to Russia-based Afghan businessmen involved in procuring weapons and stolen Ukrainian grain for Houthi operations. TRM also confirmed open-source reporting linking TokenSpot transactions to InfoLider, a Russia-backed influence operation in Moldova in which participants were paid in cryptocurrency to promote pro-Russian narratives and join anti-government demonstrations. Between December 2023 and March 2026, TokenSpot processed over $4 billion in transaction volume—a scale that TRM Labs describes as far exceeding what legitimate retail exchanges in Central Asia would typically produce.

Sanctions Exposure Note

Any financial institution or exchange that processed A7A5 trades or facilitated Grinex transactions after August 2025 may face OFAC exposure. The sanctions designation applies to U.S. persons and entities globally subject to U.S. jurisdiction.

What the Attack Tells Us Technically

Grinex did not disclose the technical vector used to access the wallets, and no independent forensic firm has published a root-cause analysis as of this writing. That gap is worth sitting with: the absence of a known entry point is itself a data point. What the on-chain record does show is a set of behavioral characteristics that, taken together, are consistent with a specific class of attack.

The wallets drained were hot wallets—exchange-controlled addresses holding funds needed for active trading and withdrawal processing. Cold storage, which holds the majority of assets offline and requires deliberate physical intervention to access, was not compromised. This means either the attacker had access to the private keys or signing infrastructure of the hot wallet cluster specifically, or they gained enough privileged access to the exchange's internal systems to authorize outbound transactions. The three most common mechanisms in comparable breaches are: compromised private key storage (keys held in accessible server memory or poorly protected environment variables), a compromised transaction-signing flow (where the attacker intercepts or replaces legitimate withdrawal requests with attacker-controlled destination addresses), or insider access. The speed of the operation—54-plus wallets drained in a coordinated sweep at approximately 12:00 UTC—is consistent with scripted automation rather than manual extraction, which implies pre-positioning: the attacker had already identified and staged against the target infrastructure before the execution window opened.

Grinex itself acknowledged that its infrastructure had been under persistent pressure well before April 16. In its official statement, the exchange described having addressed repeated attempts to block cryptocurrency withdrawals outside the CIS region, including sanctions listings, wallet labeling, and transaction blocking—and characterized the hack as a new escalation of that pressure rather than an isolated event. Prior minor incidents were also acknowledged. This background matters for technical attribution: an exchange that has been under sustained, sophisticated external pressure for months has a larger attack surface of probed and partially-mapped infrastructure than one encountering adversarial attention for the first time.

There is also a structural security question that the Garantex connection raises and that no public analysis has yet answered directly: did Grinex inherit Garantex's security vulnerabilities along with its customers, liquidity, and infrastructure? The burn-and-reissue A7A5 transfer chain that moved Garantex funds into Grinex was executed in minutes using a pre-prepared wallet chain. That level of operational readiness in the fund migration suggests the platform was stood up rapidly with a focus on continuity of service, not security hardening. If the same hot wallet architecture, key management practices, and internal access controls carried over from Garantex—a platform that had itself been operating under adversarial pressure since its 2022 OFAC designation—the security posture of Grinex at launch may have been weaker than a purpose-built exchange's. That hypothesis is not confirmed, but it is the right question to ask when evaluating why a platform that described itself as operating under sophisticated, ongoing attacks was apparently breached at scale in a single coordinated window.

The decision to convert stolen USDT into TRX rather than holding it also carries technical implications. TRX is a native blockchain asset on TRON. Unlike USDT, which is a Tether-issued contract token, TRX cannot be frozen by a central issuer. By converting immediately after the theft, the attacker removed the most actionable recovery lever available: the possibility that Tether would freeze the stolen stablecoin balances before they moved further. Tether has exercised this capability in prior major thefts—freezing USDT linked to the 2022 Ronin Bridge hack and others—and it represents the fastest mechanism by which stolen stablecoin funds can be rendered inaccessible without on-chain seizure. Converting to TRX eliminates that option and puts recovery entirely in the hands of law enforcement tracing and exchange-level cooperation, both of which are slower and more uncertain paths.

The Garantex–Grinex Sanctions Evasion Network Click or tap nodes to explore relationships

Attribution Claims and What the Blockchain Actually Shows

Grinex's public statement attributed the attack to foreign intelligence services, framing it as a state-backed operation targeting Russia's financial sovereignty. The exchange characterized the attack as involving an unprecedented level of technical resources available only to state-level actors from hostile nations, and stated that preliminary evidence indicated the breach was coordinated to cause direct harm to Russia's financial infrastructure. No technical indicators of compromise were provided to support either claim.

Attribution Assessment — Current Analyst Confidence (April 17, 2026)
Western Intelligence Agency
Financially Motivated Criminal Actor
Nation-State (non-Western)
Insider / Operational Security Failure
This represents analytical probability weighting based on on-chain evidence, operational characteristics, geopolitical context, and comparable historical incidents — not confirmed attribution. No government has claimed responsibility. No forensic IOCs have been published by independent researchers.

These claims have not been independently verified. No government has claimed responsibility. BleepingComputer reported that Grinex did not respond to requests for comment on the attribution. What blockchain data does confirm is the technical execution: the attackers moved quickly, converted assets to avoid a Tether freeze, and routed funds through decentralized infrastructure that complicates seizure. That operational discipline is consistent with a skilled, well-resourced threat actor—but it does not confirm the specific attribution Grinex has made.

It is also worth noting that A7A5's official representatives have pushed back on the broader framing applied to their platform. When Chainalysis published its 2026 Crypto Crime Report citing A7A5's $93.3 billion in transactions, Oleg Ogienko, A7A5's director for regulatory and overseas affairs, told CoinDesk that the findings were politically motivated by Western countries. Ogienko characterized A7A5 as primarily serving legitimate Russian export and import payment needs, and maintained that the platform operates in compliance with the laws of Russia, Kyrgyzstan, and partner countries, with what he described as robust KYC and AML controls. Those rebuttals are noted here for accuracy. They do not change the on-chain forensic record, nor do they alter the sanctions designations issued by OFAC, the UK, and the EU—but they represent the position of the entity most directly implicated in the sanctions evasion infrastructure described throughout this article.

Similarly, when the UK sanctioned Grinex in August 2025, Kyrgyzstan's President Sadyr Japarov publicly appealed to the U.S. and UK governments, warning against politicizing the economy and expressing concern about the impact on the Kyrgyz financial system. The Kyrgyz position, which frames the sanctions as an overreach affecting a sovereign nation's economy, is a material part of the geopolitical context surrounding this incident. Kyrgyzstan has not taken enforcement action against Grinex domestically, and the exchange operated legally under Kyrgyz registration throughout.

The geopolitical context does provide motive for state interest. Grinex had processed billions in transactions supporting Russia's ability to conduct cross-border settlements under sanctions pressure. It was the primary trading venue for a stablecoin explicitly designed to evade international financial restrictions. A successful disruption of Grinex—whether through sanctions enforcement or a targeted cyberattack—would meaningfully impact Russia's ability to use cryptocurrency as a sanctions workaround. That strategic value does not prove Western intelligence involvement, but it clarifies why the exchange would be a high-value target for actors beyond purely financial criminals.

Separately, TRM Labs noted that the attacker may have targeted other nodes in the Garantex network beyond Grinex and TokenSpot, with fund movement monitoring ongoing.

The Enforcement Record and Why It Matters

The Grinex breach is one incident in a longer pattern. Iran-based exchange Nobitex lost approximately $90 million on June 18, 2025, in an attack where pro-Israel hacker group Gonjeshke Darande (Predatory Sparrow) claimed responsibility. Rather than extracting the funds for financial gain, the attackers burned them—transferring the stolen assets to specially crafted wallet addresses for which no private key exists, rendering the funds permanently inaccessible. Those addresses were vanity addresses embedding the phrase “FuckIRGCterrorists” directly into the wallet public key strings across multiple blockchains—the specific TRON address first flagged by ZachXBT was TKFuckiRGCTerroristsNoBiTEXy2r7mNX, incorporating both the political phrase and the target exchange name—embedding a political message permanently into the blockchain record. Chainalysis and Elliptic both measured the total destruction at approximately $90 million across Bitcoin, Ether, and multiple other chains; an $81 million figure appeared in some earlier reporting based on what Nobitex initially confirmed, but the higher figure reflects the full on-chain outflow tracked by blockchain intelligence firms. The attack was a deliberate act of political and financial sabotage, not a theft. North Korean state-affiliated groups including Lazarus have been responsible for some of the largest cryptocurrency thefts on record. The intersection of geopolitics, sanctions pressure, and crypto exchange infrastructure has become a consistent feature of the threat landscape since 2022.

What distinguishes the Grinex case is the layered enforcement history preceding the hack. OFAC sanctioned the predecessor exchange in 2022. International law enforcement dismantled that exchange in March 2025. OFAC sanctioned Grinex itself in August 2025 as a direct successor. And now the exchange has been hit with a breach that has knocked it offline entirely. Whether the hack represents an informal continuation of enforcement pressure, opportunistic criminal targeting of a weakened and isolated platform, or something else remains an open question.

  • April 2022
    OFAC sanctions Garantex for processing transactions tied to darknet markets and ransomware operations including Hydra, Conti, and LockBit.
  • December 2024
    Grinex incorporated in Kyrgyzstan by an individual with no known prior exchange history. A7A5 stablecoin infrastructure begins development in parallel.
  • January 2025
    Garantex wallets begin moving funds into A7A5, indicating foreknowledge of impending enforcement, per TRM Labs on-chain analysis.
  • March 6, 2025
    U.S. Secret Service, Germany, and Finland seize Garantex domains and freeze $26 million in cryptocurrency. DOJ unseals indictments against executives the following day.
  • March–April 2025
    Grinex goes live as Garantex successor. Customer deposits migrate via one-time-use wallets. Telegram channels affiliated with Garantex begin promoting the new platform within days.
  • August 14, 2025
    OFAC formally sanctions Grinex under Executive Order 13694 as an entity owned or controlled by Garantex. Old Vector LLC (A7A5 issuer) sanctioned simultaneously. UK follows August 20.
  • November 25, 2025
    EU 19th sanctions package takes effect, explicitly banning all transactions involving A7A5 and designating affiliated entities. Grinex continues operating.
  • April 16, 2026
    Grinex hacked for $13.7M. 54+ wallets drained. Stolen USDT converted to TRX and ETH via SunSwap within hours. Operations suspended.

A note on Grinex's total transaction volume: figures cited in different outlets vary considerably. Elliptic documented Grinex's total cryptoasset transaction history at over $6 billion. Global Ledger's on-chain data shows Grinex processed more than $8.7 billion USDT between March 6 and November 10, 2025 alone. Chainalysis tracked at least $4.76 billion in Grinex-processed volume during 2025. These figures are not contradictory; they measure different time windows and use different methodologies. The Global Ledger figure covers a nine-month window post-Garantex seizure; the Elliptic figure appears to represent a more conservative cumulative count; and Chainalysis's figure covers the 2025 calendar year. All sources are consistent in placing Grinex among the largest ruble-to-crypto exchanges in operation, running hundreds of millions of dollars per month even after sanctions. When OFAC designated Grinex in August 2025, its press release noted that Grinex's own promotional materials acknowledged the exchange was formed in response to the sanctions imposed on Garantex—a remarkably candid admission. This article does not cite a single definitive lifetime Grinex volume because no single authoritative figure exists; the figures above represent the range documented by primary sources.

For defenders and compliance teams, the Grinex case illustrates a structural problem: sanctions and law enforcement actions against crypto exchanges have consistently failed to permanently shut down the underlying financial networks. Garantex operated for years after its 2022 OFAC designation. Grinex emerged within days of Garantex's disruption. The A7A5 token processed tens of billions before enforcement caught up with it. Contingency planning, jurisdictional arbitrage, and decentralized financial infrastructure have allowed this network to absorb multiple enforcement actions and continue operating.

A February 2026 report from Elliptic identified five additional Russia-linked exchanges filling the void left by the Garantex takedown. ABCeX, the largest of those flagged, processes ruble-to-crypto trades from Moscow's Federation Tower—the same office building Garantex occupied before its domain seizure—and has processed at least $11 billion in crypto with significant volumes flowing to Garantex and affiliated entities. Exmo, which claimed to have exited Russia after the 2022 invasion by selling its regional business to a separate entity called Exmo.me, was found to share identical custodial wallet infrastructure with its supposed successor, with deposits pooled into the same hot wallets. Rapira, a Georgia-incorporated exchange with a Moscow office, transacted more than $72 million directly with Grinex; Russian authorities reportedly raided Rapira's Moscow offices in late 2025 over suspected capital flight to Dubai. The Elliptic finding underscores the pattern: the Garantex takedown dispersed the sanctions evasion infrastructure across a broader set of platforms rather than eliminating it.

Context: Where Grinex Sits Among Major Crypto Exchange Incidents
Bybit (2025)
$1,500M
Ronin Bridge
$625M
Mt. Gox (2014)
~$450M
Nobitex (2025)
$90M
Bitfinex (2016)
$72M
Grinex (2026)
$15M
Garantex freeze
$26–28M
Bars scaled relative to Bybit ($1.5B). Grinex loss smaller in absolute terms but strategically significant given the exchange's role in Russia’s parallel financial infrastructure.

What Happens to Users Now

The most pressing practical question for the thousands of individuals and businesses who held funds on Grinex is one the article has not yet answered: what is the realistic path to recovery? The answer, based on the specific circumstances of this breach, is difficult.

Grinex has filed a criminal complaint and stated its intent to continue operating, but has announced no compensation plan. The exchange has not said when services will resume, and given its sanctions status, any resumption of operations—if it occurs at all—would require navigating significant legal complexity. The path a sanctioned entity takes after a major hack is not the same as the path a compliant exchange takes. Compliant exchanges typically carry insurance, have established relationships with regulators, and can access third-party capital for user compensation. Grinex has none of those options available in any Western jurisdiction.

The historical record of exchange hacks at this scale is not encouraging for users. When Mt. Gox collapsed in 2014 after the theft of approximately 850,000 Bitcoin, creditors waited over a decade for partial distributions through a prolonged insolvency process. The Bitfinex hack of 2016, in which $72 million in Bitcoin was stolen, resulted in haircuts distributed to all account holders regardless of whether their specific wallets were affected. QuadrigaCX, the Canadian exchange whose CEO died with sole custody of the private keys, went through insolvency proceedings that returned fractions of user deposits years later. These cases share a common feature: centralized exchanges that fail tend to fail slowly, with user recovery stretching across years and often yielding partial compensation at best.

The specific complication in Grinex's case is the sanctions layer. Users in Russia who held funds denominated in rubles or A7A5 are in an especially complex position. The stablecoin itself—A7A5, backed by Promsvyazbank deposits—is now issued by a sanctioned entity under a sanctioned framework. Even if Grinex were to attempt a recovery plan involving A7A5 redemption, any institution that participated in that settlement would face OFAC exposure in any jurisdiction subject to U.S. law. The exchange's own legal situation makes it impossible to engage with Western legal or financial systems. Kyrgyz courts and law enforcement are the only institutional recourse available, and neither has previously taken enforcement action against the exchange despite multiple international designations.

For users whose funds were not in the 54 compromised wallets, the situation is different but not clearly better. Their balances are intact on Grinex's books, but they cannot withdraw them while operations are suspended. Whether those funds remain accessible depends entirely on whether Grinex successfully resumes operations—something the exchange has committed to but has not demonstrated any concrete plan for. The exchange confirmed to various outlets that it does not intend a permanent shutdown, but that statement carries limited weight absent a disclosed timeline or financing plan. The most likely near-term scenario for unaffected users is continued uncertainty: unable to access funds, unable to engage Western legal systems due to the sanctions barrier, and dependent on an exchange whose operational future is unclear.

Frequently Asked Questions: The Grinex Hack

How much was stolen in the Grinex hack?

Attackers stole approximately 1 billion rubles, equivalent to roughly $13.7 million USD, from 54 wallets holding primarily USDT on the TRON blockchain. Blockchain data tracked by Elliptic shows outgoing transactions totaling approximately $15 million when accounting for post-theft conversion activity.

What is the connection between Grinex and Garantex?

Grinex is widely assessed by blockchain intelligence firms Elliptic and TRM Labs as the direct operational successor to Garantex, a Russian crypto exchange disrupted by U.S., German, and Finnish authorities in March 2025. Grinex was incorporated in Kyrgyzstan on December 23, 2024—approximately ten weeks before the Garantex seizure—and shares near-identical interfaces, operational patterns, and client bases with its predecessor. OFAC formally sanctioned Grinex in August 2025 as a continuation of Garantex's activity.

What is A7A5 and why does it matter to this hack?

A7A5 is a Russian ruble-backed stablecoin issued by Kyrgyzstani company Old Vector, backed by deposits at sanctioned Russian bank Promsvyazbank. It was created to allow Garantex customers to recover frozen funds after the March 2025 takedown. A7A5 has processed over $100 billion in volume and was the primary trading asset on Grinex, making the exchange a critical node in Russia's sanctions evasion infrastructure.

How did the attackers handle the stolen funds?

According to Elliptic, the theft occurred at approximately 12:00 UTC on April 16, 2026. Stolen USDT was sent to addresses on the TRON and Ethereum blockchains and then converted into TRX and ETH through the SunSwap decentralized trading protocol. Converting away from USDT was a deliberate step to avoid the risk of Tether freezing the stolen stablecoin balances, a countermeasure Tether has used in prior high-profile thefts.

How did the attackers get into Grinex's wallets?

Grinex has not disclosed the technical entry point. The attack targeted hot wallets specifically, leaving cold storage unaffected. The coordinated, scripted nature of the drain across 54-plus wallets in a single window is consistent with pre-positioned access to private keys or the transaction-signing infrastructure, rather than a real-time intrusion. The most common mechanisms in comparable exchange breaches are compromised private key storage, a hijacked signing flow, or insider access. No independent forensic firm has published a root-cause analysis as of April 17, 2026.

Can Grinex users recover their funds?

Recovery is highly uncertain. Grinex has published no compensation plan, has no Western regulatory standing due to sanctions, and cannot access conventional exchange insurance or legal frameworks. Users whose wallets were directly drained face the same problem as victims of any uninsured exchange hack. Users whose funds were not in the compromised wallets remain locked out pending operational resumption, which has no confirmed timeline. The historical record of exchange-hack recoveries at comparable scale suggests partial, slow, and often legally complex outcomes even under favorable conditions—conditions that do not apply here given Grinex's sanctions status.

Why was Grinex still operating under three layers of sanctions?

Grinex operated under Kyrgyz registration, and Kyrgyzstan did not enforce the U.S., UK, or EU sanctions designations domestically. Sanctions issued by OFAC, OFSI, and the EU prohibit U.S. persons and entities in relevant jurisdictions from transacting with Grinex, but do not compel a third country to shut down a domestically registered exchange. Since Grinex's primary customer base was Russian and its infrastructure was in Kyrgyzstan, the sanctions created friction—blocked withdrawals outside the CIS, marked wallets, restricted correspondent banking—but did not and could not unilaterally remove the exchange from operation. Shutting down a foreign exchange operating legally in its home jurisdiction requires either that country's domestic enforcement action or a sustained technical takedown, neither of which occurred before the hack.

MITRE ATT&CK Technique Mapping and NIST Framework References

The behaviors documented in this incident — and in the broader Garantex–Grinex operational history — map directly to established MITRE ATT&CK techniques and NIST guidance. The following is not speculative; it reflects documented behaviors from court filings, on-chain forensics, and incident reporting. Defenders and compliance teams can use these mappings to prioritize controls and validate detection coverage.

ATT&CK Techniques: The April 16 Breach

The most probable root cause. Hot wallet private keys were accessed and used to authorize outbound transactions. The sweep of 54+ wallets in a single scripted window is consistent with pre-obtained signing credentials, not a real-time intrusion. NIST SP 800-57 and SC-12 (800-53) directly address this gap.
The on-chain transactions were authorized-looking sweeps, not anomalous intrusion noise. The attacker appeared to the TRON network as a legitimate wallet operator. This is the hallmark of T1078: using obtained credentials to blend into normal activity, defeating signature-based detection.
The direct objective. MITRE added T1657 specifically to cover cryptocurrency theft and bank hacking as an Impact-tactic technique. The conversion to TRX via SunSwap to avoid Tether freezing is an operational sub-step within this technique's execution pattern.
The use of one-time-use intermediary wallets, multi-hop routing through TRON and Ethereum addresses, and the immediate asset conversion all constitute deliberate on-chain obfuscation of the funds trail — the blockchain equivalent of obfuscating an exfiltration path.
The coordinated, scripted nature of the sweep implies pre-positioning: the attacker had already mapped and staged against Grinex's hot wallet infrastructure before the execution window. The simultaneous TokenSpot probe reinforces that multiple targets were pre-surveyed.
Converting USDT to TRX removed the most actionable forensic handle: Tether's freeze capability. This is the blockchain-native equivalent of clearing logs — eliminating the indicator (USDT contract traceability) that would enable the fastest response from a central issuer.

ATT&CK Techniques: The Garantex–Grinex Sanctions Evasion Operation

The Garantex→Grinex rebrand is a textbook T1036 operation at the organizational level: a sanctioned entity assuming a new identity to continue operating while appearing to be a new, unrelated exchange. Sergey Mendeleev's laughing-emoji Telegram post underscores the deliberateness of the facade.
Court documents establish that Garantex redesigned its infrastructure post-2022 specifically to defeat blockchain analytics attribution tools. Elliptic noted this mirrors techniques used by AlphaBay. This is not incidental evasion — it is documented, deliberate impairment of the tools used to enforce sanctions.
Garantex moved its operational cryptocurrency wallets to different virtual addresses on a daily basis — per court documents — to make it structurally impossible for U.S. exchanges to build a blocklist of Garantex addresses. This is programmatic, automated obfuscation of transaction metadata at scale.
The A7A5 burn-and-reissue step — assessed by Global Ledger as explicitly designed to sever the on-chain link to Garantex — is indicator removal on blockchain. The technique removes the forensic chain connecting the new Grinex hot wallet to its Garantex origin address.
The incorporation of Grinex in Kyrgyzstan in December 2024 — months before the Garantex seizure — is infrastructure pre-acquisition. The network registered new company entities, new domains, and new wallet infrastructure in a jurisdiction selected specifically for enforcement resistance.
Grinex's suspension of all user withdrawals after the breach — while intended as protective — functionally maps to T1531: users lost access to their accounts as a direct result of the incident. The 54 compromised wallets are the explicit cases; the thousands of locked non-compromised accounts illustrate the collateral access-removal impact.

Applicable NIST Special Publications

The foundational NIST publication on cryptographic key lifecycle: generation, distribution, storage, access, and destruction. The probable root cause of the Grinex breach — insecure hot wallet private key storage or signing-flow compromise — is precisely the failure mode this document addresses. Any exchange holding customer funds in hot wallets should treat this as baseline, not aspirational.
Covers key management policy and planning for any organization that uses cryptography — explicitly extended to private-sector applicability. The operational question of whether Grinex used hardware security modules (HSMs) for key storage, enforced key ceremony procedures, or separated signing authority is directly answered by complying with this guidance.
The specific 800-53 control requiring organizations to establish and manage cryptographic keys for required cryptography in accordance with defined requirements for key generation, distribution, storage, access, and destruction. Non-compliance with SC-12 is the direct technical expression of the failure this incident represents.
SC-28 requires protecting the confidentiality and integrity of information at rest — including cryptographic keys stored on exchange infrastructure. IA-5 governs authenticator management, covering initial distribution, replacement, revocation, and the protection of authenticators from unauthorized disclosure. The breach scenario maps to a failure in both.
The sweep of 54 wallets in a single operation suggests the attacker had access to a signing authority that spanned the entire hot wallet cluster, not a single wallet. Least-privilege architecture (AC-6) would isolate signing authority per wallet or per transaction threshold. AC-2 governs account lifecycle management including privileged service accounts used in signing flows.
Grinex's response — suspend operations, file criminal complaint, share data with law enforcement — covers basic Respond and Recover functions. Absent from the public record: any detection timeline, any forensic chain-of-custody documentation, any containment playbook evidence, any communication to users about the scope of the investigation. SP 800-61r3's Communicate function was not visibly executed.
The question of whether Grinex inherited Garantex's security vulnerabilities during the emergency rebrand is a cyber resiliency engineering question this publication directly addresses. Survivability, disruption tolerance, and the ability to withstand adversarial attacks against critical functions are the resiliency properties that a platform stood up rapidly under enforcement pressure would need to have consciously engineered — and almost certainly did not.

For compliance teams at exchanges, custodians, or financial institutions with any exposure to the Garantex–Grinex network through A7A5 trades or transaction counterparties: the OFAC designations trigger reporting and blocking obligations under 31 C.F.R. Part 501, and any transaction with a designated entity after the designation date is a potential violation regardless of whether the counterparty disclosed its identity. The NIST controls above describe the security posture that would have been required to prevent this breach; they also describe the security posture required to avoid becoming a future target in the same infrastructure category.

How to Assess Your OFAC Sanctions Exposure After the Grinex Designation

Compliance teams and exchanges that may have transacted with any part of the Garantex–Grinex network face a specific set of review obligations. The following steps reflect the standard workflow for OFAC exposure assessment under 31 C.F.R. Part 501.

  1. Screen your transaction history against OFAC designations. Pull all outbound and inbound transactions from August 14, 2025 onward and screen counterparty wallet addresses against the OFAC SDN list. Grinex was designated on August 14, 2025 under Executive Order 13694. Any transaction with a designated entity after that date is a potential violation regardless of whether the counterparty disclosed its identity.
  2. Check for A7A5 token exposure. Identify any transactions involving the A7A5 ruble-backed stablecoin. Old Vector LLC, the A7A5 issuer, was sanctioned simultaneously with Grinex on August 14, 2025. The EU banned all A7A5 transactions effective November 25, 2025 under its 19th sanctions package. A7A5 operates on both the TRON and Ethereum blockchains.
  3. Identify Garantex-linked wallet clusters. Cross-reference counterparty addresses against OFAC-labeled Garantex wallet clusters. Blockchain intelligence tools from Elliptic, TRM Labs, Chainalysis, and Crystal Intelligence maintain updated labeling for the Garantex–Grinex network. The OFAC-labeled address TNDjh6WGLYyWmkh8vfu42bXVHUqFNQ3rDq is a documented pivot point in the fund migration chain.
  4. File a Voluntary Self-Disclosure if exposure is found. If transactions with designated entities are identified, consult legal counsel immediately. Voluntary Self-Disclosure to OFAC is a mitigating factor in enforcement actions. Document all relevant transaction records, counterparty information, and the date you identified the exposure.
  5. Implement real-time blockchain analytics controls going forward. Deploy transaction screening that checks wallet addresses against sanctions lists before transactions settle. Static blocklists are insufficient because the Garantex–Grinex network used daily wallet rotation to defeat fixed address lists. Behavioral heuristics from blockchain analytics providers are required to catch obfuscated flows.

Key Takeaways

  • 01Grinex was a sanctioned target with a documented history. OFAC, the UK, and the EU had all designated Grinex before the hack. The exchange was operating under full international sanctions as the successor to Garantex. Its continued operation represented a known gap in enforcement.
  • 02The stolen funds were converted to avoid a Tether freeze. The swap of stolen USDT into TRX and ETH through SunSwap was operationally deliberate. Attackers demonstrated knowledge of on-chain counterintelligence techniques, specifically the risk of stablecoin-issuer freezes.
  • 03Attribution remains unverified. Grinex's claim of Western state-actor involvement has no independent confirmation. The technical execution is consistent with a skilled adversary, but that does not narrow the field to foreign intelligence agencies. Financial motivation, ransomware actors, and independent nation-state actors all remain plausible.
  • 04The Garantex network has survived multiple enforcement actions. From the 2022 OFAC designation through the 2025 takedown through the August 2025 Grinex sanctions, this network has absorbed significant pressure and continued operating. The hack may represent a more disruptive blow than prior legal actions—but the network's resilience to date makes premature conclusions about its demise unwarranted.
  • 05A7A5 and similar instruments expand Russia's sanctions evasion surface. Ruble-backed stablecoins backed by deposits at sanctioned institutions and traded on sanctioned exchanges represent a category of financial infrastructure that traditional sanctions enforcement has struggled to contain. Regulatory frameworks have not kept pace with the speed of deployment.

Grinex has filed a criminal complaint and provided available evidence to law enforcement. The exchange has not announced a timeline for resuming operations, and given its sanctions status, the path to reopening—if one exists—runs through significant legal complexity. What this breach has done is cast a light on the full architecture of Russia's crypto-enabled sanctions evasion network: the Garantex origin, the Grinex rebrand, the A7A5 bridge, and the Kyrgyz jurisdictional cover. Understanding that architecture is the prerequisite to any serious disruption of it.

Sources and Verification Notes

This article is based on primary reporting from blockchain intelligence firms Elliptic and TRM Labs, both of which published analyses of the Grinex hack on April 16–17, 2026. Secondary sources include BleepingComputer's reporting (Bill Toulas, April 17, 2026), CoinDesk's coverage (April 17, 2026), Cointelegraph via TradingView (April 17, 2026), and crypto.news (April 17, 2026). The OFAC designation of Grinex in August 2025 is drawn from the U.S. Treasury's official press release at home.treasury.gov. On-chain wallet address data and the Garantex-to-Grinex fund transfer chain were sourced from Global Ledger's forensic reporting. The A7A5 stablecoin transaction figures draw from Chainalysis's 2026 Crypto Crime Report, TRM Labs' sanctions evasion research, and Elliptic's cumulative tracking through early 2026. The Nobitex parallel and Predatory Sparrow attribution are sourced from Elliptic's June 18, 2025 analysis, BleepingComputer's same-day reporting, and TRM Labs' post-breach source code analysis published July 1, 2025. The vanity address string FuckiRGCTerroristsNoBiTEX is confirmed by on-chain data via the TRON address TKFuckiRGCTerroristsNoBiTEXy2r7mNX, documented by ZachXBT, Watcher.Guru, Outpost24, and Elliptic. ABCeX, Exmo.me, and Rapira details are sourced from Elliptic's February 2026 report on Russia-linked exchanges. The EU 19th sanctions package date and language are drawn from official EU Council documentation. Kyrgyz President Japarov's appeal is sourced from public statements covered in regional and international financial press at the time of the August 2025 UK designation. The State Department reward figures for Mira Serda and other Garantex principals are from the official Rewards for Justice announcement. Where figures conflict across sources, this article explains the discrepancy and cites the basis for the figure used. All hyperlinked citations in the JSON-LD schema point to the original source documents.

back to top