.png){kind=logo}
Grinex suspended trading after hackers stole more than 1 billion rubles, or about $13.7 million, from 54 wallet addresses. Analysts traced the funds through multiple addresses after the attack. The stolen assets moved into TRX and Ether as crypto breaches spread across the sector. Did the breach extend beyond Grinex itself?
The Kyrgyzstan-registered exchange has close ties to Russia’s digital asset ecosystem. Grinex called the breach highly sophisticated. It said the methods pointed to resources often linked to hostile state intelligence agencies. The company said it gave evidence to law enforcement and filed a criminal complaint tied to the affected infrastructure.
Grinex has drawn international scrutiny because of its alleged ties to sanctions evasion. It is often described as the successor to Garantex, a crypto platform that faced sanctions. U.S. authorities accused Garantex of helping Russian entities bypass restrictions and launder funds tied to cybercriminal activity.
Analysts have also linked Grinex to trading in A7A5, a ruble-backed stablecoin. Critics say the token has served sanction-circumvention efforts. Still, Grinex denied illegal conduct and said it condemns sanctions evasion and money laundering.
Meanwhile, TRM Labs reported activity that pointed to possible spillover beyond Grinex. It said two TokenSpot-linked wallets sent about $5,000 to the same consolidation address tied to the attacker. TokenSpot later disclosed technical maintenance and a brief outage on April 15 before restoring full operations the next day. TRM made no direct accusation, yet the timing and wallet activity raised questions.
TRM Labs also identified 16 more addresses linked to the incident beyond those that Grinex disclosed. It said the main receiving wallet held 45.9 million TRON tokens, worth close to $15 million. Elliptic traced about $15 million in USDT leaving Grinex-controlled accounts. According to the firm, the attacker quickly converted the stolen stablecoins into TRX or Ether. It said the move may have aimed to reduce the chance of a Tether freeze.
The Grinex breach landed during a sharp rise in crypto security incidents. TRM Labs and Elliptic counted attacks on at least 12 DeFi protocols and crypto businesses in just over two weeks after April 1. The largest breach in that span hit Drift Protocol for $280 million. Security analysts believe a prolonged social engineering campaign drove the exploit. They also suspect actors linked to North Korea may have played a role.
Since then, platforms including CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, Rhea Finance, and Grinex have reported attacks or suspicious activity. Rhea Finance said attackers exploited a flaw in its margin trading feature and took about $7.6 million. CertiK said fake token contracts and new liquidity pools likely misled the protocol’s oracle and validation systems.
The BSC TMM/USDT liquidity pool lost about $1.67 million in a reserve manipulation attack. Dango lost about $410,000 to a smart contract bug, while Silo Finance lost $392,000 in an oracle-related exploit. Aethir also lost about $423,000 in an access control breach.
At the same time, the attack wave has fed debate over the cybersecurity risks tied to advanced AI systems. The discussion includes models such as Anthropic’s Claude Mythos and similar technologies. Experts warn that future AI systems could automate phishing, spot code flaws faster, and support more complex fraud schemes.
Read More: Solana News Today: SOL Slides After Drift Hack as SoFi Launches 24/7 Banking
The Grinex hack exposed fresh risks across the crypto market as stolen funds moved through multiple wallets and into TRX and Ether. Coming amid a wider wave of DeFi attacks, the breach showed how quickly threats can spread and why stronger security controls now matter more than ever.
