The crypto exchange Grinex said it had suspended operations after a large-scale cyberattack that, in its assessment, bore “signs of involvement by foreign intelligence services.” The statement was published on the platform’s Telegram channel on April 16.
According to the exchange, the breach led to the theft of more than 1 billion rubles from the crypto wallets of Russian users. The company also disclosed the addresses of the wallets targeted in the attack.
“The digital traces and nature of the attack point to an unprecedented level of resources and technology available exclusively to structures of hostile states. According to preliminary information, the attack was coordinated with the aim of inflicting direct damage on Russia’s financial sovereignty,” Grinex representatives said, adding that the company had contacted law-enforcement agencies.
The platform presents itself as a “leading crypto exchange” that enables “settlements between Russian businesses and citizens.” According to the Financial Times, it was established in Kyrgyzstan in early 2025.
At the same time, Grinex began processing transactions involving A7A5, a ruble-pegged stablecoin backed by deposits at Promsvyazbank, which is under sanctions. As the outlet noted in its investigation, the instrument was designed to simplify Russia’s cross-border settlements with other countries amid sanctions pressure. The company itself, however, said it complied with international sanctions regimes.
The anti-corruption organization Transparency International Russia said Grinex was, in effect, a continuation of the Garantex exchange. That platform had previously been placed under Western sanctions over links to international criminal activity and, after the start of Russia’s full-scale war against Ukraine, came to be used to evade financial restrictions.
In August 2025, the United States imposed sanctions on Grinex, citing its connection to Garantex and its involvement in cryptocurrency operations aimed at circumventing sanctions measures.