Hackers drained Grinex wallets and moved funds through SunSwap to TRX before merging the assets into a single TRON address.
Grinex, a sanctioned cryptocurrency exchange that serves Russian companies and individual users, said it was subjected to a large-scale cyberattack that resulted in funds worth more than 1 billion rubles being stolen from its users’ wallets.
The stock exchange described the incident as a targeted operation, and claimed that there were indications of the involvement of foreign intelligence agencies. It said the technical footprint and scale of the attack indicated the use of advanced resources typically available to state-backed actors.
After the hack, Greenex suspended its operations.
The laundry path is open
In its official update, Exchange open That all relevant information has been handed over to law enforcement authorities. A criminal complaint was also filed against its infrastructure site. Greinx stated that the attack resulted in total damage estimated at approximately 13.74 million US dollars.
Blockchain analytics company TRM Labs I mentioned About 70 addresses are linked to the hack, about 16 more than what Grinex disclosed publicly. According to the results, all stolen assets were swapped into TRX through SunSwap and later pooled into a single TRON address.
The report also says that TokenSpot, which TRM found to be a potential interface linked to Garantex, was affected around the same time. Two of its wallets sent funds to the same merging address used by the wallets linked to Grinex. Both platforms reportedly stopped working on April 15, suggesting that they may have been targeted by the same attacker.
Grinex was established in Kyrgyzstan in December 2024, just weeks before a coordinated law enforcement operation in March 2025 brought down Garantex, a cryptocurrency exchange previously classified as a high-risk business. Soon after Garantex was shut down, Telegram channels connected to it began directing users towards Grinex and presented it as an alternative platform with similar features. These channels also encouraged former clients to migrate in order to regain access to frozen funds.
You may also like:
This led the US Department of the Treasury’s Office of Foreign Assets Control to impose sanctions on Greenex, along with individuals linked To Garantex and the source code A7A5, Old Vector, in the same year. Before its closure, Garantex had processed more than $100 billion in transactions while under sanctions since 2022.
The report also highlighted the use of A7A5, a ruble-pegged stablecoin issued by Old Vector. According to the findings, Garantex wallets began transferring funds to A7A5 in early 2025, before the enforcement proceedings began. After the shutdown, former users on Grinex were issued A7A5 balances equal to their frozen balances, allowing them to continue transactions through the new system.
Illicit activity linked to Russia
Previous report for the platform Found Illicit cryptocurrency flows jumped in 2025, with about $158 billion flowing into suspicious wallets. The rise is mainly related to activities linked to Russia and improved tracking methods. Despite the increase, illicit transactions still make up only about 1.2% of the total on-chain volume.
A7A5 was the largest contributor, bringing in about $72 billion in inbound value. Another $39 billion was linked to the A7 portfolio group. Most of this activity was related to Garantex, Grinex, and A7.
Free Binance $600 (CryptoPotato Exclusive): Use this link To register a new account and get an exclusive welcome offer of $600 on Binance (Full details).
Limited offer for Bybit’s CryptoPotato readers: Use this link To register and open a free position worth $500 on any currency!
