Grinex, TokenSpot Hit in Billion-Ruble Hack

Sanctioned Kyrgyz-registered exchange Grinex lost over 1 billion rubles (about $15 million) in a hack that blockchain forensics traced largely as USDT on the Tron network. The stolen USDT was converted via the decentralized exchange SunSwap into nearly 46 million TRX and moved to a single consolidation address.

A blockchain forensics firm reported that a smaller tranche of assets, valued under $5,000 and linked to the Kyrgyz-registered TokenSpot, was sent to the same consolidation wallet. Grinex identified 54 addresses connected to the breach; the firm flagged an additional 16 addresses, some used in transfers from TokenSpot.

Grinex halted trading on Wednesday. TokenSpot posted a Telegram notice of maintenance the same day and resumed operations the following day.

Both platforms are registered in Kyrgyzstan, serve mainly Russian customers and support ruble transactions. Grinex is the successor to the Russian exchange Garantex, which was taken offline in an international operation last year, and maintains an office in the same Moscow business center as its predecessor. When Garantex was shut down, the issuer of USDT froze about $27 million linked to that platform.

Grinex described the incident as a large-scale cyberattack with indications of foreign intelligence involvement and said it had shared incident data with law enforcement. An anti-money-laundering provider reported that on-chain analysis suggests another service in the same Moscow business center was affected.

Some compliance specialists examined transaction timing and patterns. One AML team noted exchange wallets were emptied in roughly five minutes by an automated sequence seen in prior major exchange breaches, and said the pattern does not require access to state resources. Another compliance platform assessed that the transaction signatures do not match those of elite state-backed hacker groups, while also noting Grinex’s sanctioned status by the U.S., EU and U.K. makes it a potential intelligence target and pointing to a 2025 attack that cost an Iranian exchange $90 million and was linked to a state-associated actor.

Investigators and blockchain analysts are monitoring the consolidation address and the flow of converted TRX. Authorities will examine the flagged addresses, transaction timing and any links between the two platforms as they determine whether the breaches were carried out by organized cybercriminals or involved state actors.

Additional context for investigators includes Grinex’s extensive use of the ruble-pegged stablecoin A7A5; the exchange has processed more than $93 billion in transactions using that token. Entities linked to A7A5, including the Kyrgyz-registered issuer Old Vector, are subject to Western sanctions.