April 2026 - A Russia-linked cryptocurrency exchange operating under the name Grinex has suspended its services after reporting a major cyberattack that allegedly resulted in the loss of more than 1 billion rubles, or about $13.1 million, in customer funds. The company said the breach forced an immediate halt to operations and claimed the attack was carried out by actors tied to what it described as unfriendly foreign states. The incident was reported on 16 April 2026.

Although Grinex is registered in Kyrgyzstan, it has been identified as closely connected to Russia and has become a significant platform for converting Russian rubles into cryptoassets. According to the report, the exchange has processed more than $6 billion in crypto-related transactions, making it a notable player in the region’s digital asset market.

In its public statement, Grinex characterized the breach as more than a standard financial crime, describing it as part of a broader effort aimed at weakening Russia’s financial autonomy. The exchange said its systems were compromised in a sophisticated operation that directly drained digital assets from its wallets. It further alleged that the attack formed part of a wider campaign to pressure regional crypto activity and limit the movement of funds outside the area.

The case has drawn added attention because of Grinex’s reported links to Garantex, a previously sanctioned Russian crypto exchange accused by authorities of laundering funds associated with ransomware operations, darknet markets, and state-backed hacking groups. Elliptic said Grinex likely shares ownership and management ties with Garantex and emerged as a successor after sanctions disrupted Garantex’s business.

The report also noted that Grinex serves as the main marketplace for A7A5, a ruble-backed stablecoin that has been associated with sanctions evasion activity. Elliptic said the token has been used to move more than $100 billion, underscoring the exchange’s importance within a broader financial network operating under sanctions pressure.

Blockchain analysis cited in the report indicated that wallets identified by Grinex as compromised sent out roughly $15 million in USDT at around 12:00 UTC on Wednesday. The funds were then routed onward through the TRON and Ethereum networks and converted into TRX or ETH, a move that may have been intended to reduce the risk of the stolen USDT being frozen