TL;DR
- Grinex, the sanctioned successor to the Russian exchange Garantex, suspended operations yesterday following a claimed 1 billion ruble ($13.7 million) cyberattack. The exchange blamed “foreign intelligence services of unfriendly states” for the breach.
- However, on-chain data shows the alleged hacker rapidly swapping exfiltrated fiat-backed stablecoins for Tron (TRX) using a decentralized exchange (DEX) previously favored by Garantex.
- Because Western law enforcement typically freezes centralized stablecoins rather than swapping them, the movement of funds raises questions about who actually exfiltrated the funds.
- At the time of writing, the exfiltrated funds remain as a balance on a single address; as the funds move downstream, forensic blockchain evidence will provide additional clues into who might be responsible for the alleged hack.
- This event follows sanctions of Grinex and the ruble-backed A7A5 token, which facilitated $93.3 billion in transactions last year.
On Thursday, April 16, 2026, Russia-linked cryptocurrency exchange Grinex announced the suspension of its operations. In statements posted to its official website and Telegram channel, Grinex representatives claimed the exchange suffered a cyberattack resulting in the loss of 1 billion rubles (approximately $13.7 million).
In its announcement, Grinex took the unusual step of publishing the specific cryptocurrency addresses from which the funds were allegedly stolen, as well as the destination address where the balance currently sits.
More notably, the exchange pointed the finger directly at Western governments, accusing foreign intelligence services of unfriendly states of coordinating the attack with the aim of harming Russia’s financial sovereignty.
While these claims remain uncorroborated, blockchain analysis allows us to look past Grinex’s own public assertions and see how the funds’ movements on-chain make us consider the validity of Grinex’s narrative.
The on-chain reality: Western authorities, cyber attack, or inside job?
According to on-chain data from the addresses provided by Grinex, the exfiltrated funds primarily consisted of a major fiat-backed stablecoin.
Shortly after the funds were exfiltrated, they were actively moved by leveraging a popular Tron-based decentralized exchange (DEX) to swap the stablecoins into Tron (TRX), the native token of the Tron blockchain. Interestingly, this specific DEX was previously heavily leveraged by Garantex — Grinex’s sanctioned predecessor — as a source of liquidity to gas-fund its hot wallets.
This behavior immediately raises reasonable questions about Grinex’s claim that Western authorities are behind the attack.
The funds exfiltrated from Grinex were held in a centralized, fiat-backed stablecoin. When stablecoin funds are seized by law enforcement agencies, they have the option to issue a legal request to the stablecoin’s centralized issuer to freeze the funds globally. A prime example is the March 2025 Garantex takedown, when US law enforcement froze $26 million of the exchange’s funds.
In the case of the alleged Grinex hack, the stablecoin funds were quickly swapped for a non-freezable token, thereby avoiding the risk of having the stablecoins frozen by the issuer. This frantic swapping from stablecoins to more decentralized tokens is a hallmark tactic of cybercriminals and illicit actors attempting to launder funds before a centralized freeze can be executed.
This begs the question: if this event is not a law enforcement-led seizure aimed at freezing stablecoin funds, who might be motivated to allegedly hack Grinex? Given the exchange’s heavily sanctioned status, its restricted ecosystem, and the on-chain use of Garantex’s preferred obfuscation techniques, it is worth considering if this incident could be a false flag attack. Russia has a well-documented history of employing false flag tactics across multiple domains, from staging physical sabotage to justify military aggression, to deploying state-aligned “hacktivist” groups to create smokescreens in cyberspace.
In the crypto ecosystem specifically, we have seen Russia-linked darknet markets and illicit services suddenly shutter under the guise of an external hack, only for on-chain data to reveal administrators quietly moving user funds to their own wallets. Faced with mounting international pressure and a shrinking operational footprint, actors associated with Grinex could be using the guise of an alleged hack to quietly siphon liquidity and execute an exit scam.
At the time of writing, the exfiltrated funds remain as a balance on a single address; as the funds move downstream, forensic blockchain evidence will provide additional clues into who might be responsible for the alleged hack.
The broader context: Grinex, Garantex, and A7A5
Yesterday’s alleged hack is the latest chapter in the turbulent history of Russia’s shadow crypto economy.
As we covered extensively in our previous reporting and in this year’s Crypto Crime Report, Grinex was established as the direct successor to Garantex following the latter’s disruption by international law enforcement. Grinex was subsequently sanctioned by the U.S. Office of Foreign Assets Control (OFAC), the UK, and the EU last year.
Grinex served as the primary trading hub for A7A5, a Russian ruble-backed token issued by the sanctioned Kyrgyzstani company Old Vector. A7A5 was explicitly designed to operate within a narrow ecosystem of Russia-linked financial services to facilitate cross-border settlements and evade Western sanctions.
Monitoring the fallout
Whether this event represents a legitimate exploit by cybercriminals or an orchestrated false flag operation by Russia-linked insiders, the disruption of Grinex deals a significant blow to the infrastructure supporting Russian sanctions evasion.
Chainalysis will continue to monitor the alleged hacker addresses and the downstream movement of the swapped TRX to shed light on possible motives for the alleged hack and to identify possible successor entities. We have labeled the relevant addresses in our product suite to ensure our customers are alerted to any exposure to these funds.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
