Hackers drained funds from Grinex wallets and routed them through SunSwap into TRX before consolidating the assets into a single TRON address.
Grinex, a sanctioned cryptocurrency exchange that catered to Russian businesses and individual users, reported a large scale cyberattack that led to the theft of more than one billion rubles from user wallets.
The platform described the breach as a highly targeted operation and suggested possible involvement of foreign intelligence agencies. According to the exchange, the technical complexity and scale of the attack pointed to resources typically associated with state backed actors.
In response to the incident, Grinex halted all operations.
Funds Movement and Investigation Details
In its official statement, the exchange confirmed that all relevant data has been shared with law enforcement authorities, and a criminal complaint has been filed where its infrastructure is based. The total losses from the attack are estimated at approximately 13.74 million USDT.
Blockchain analytics firm TRM Labs identified around seventy wallet addresses connected to the exploit, which is more than the number initially disclosed by Grinex. Their findings revealed that the stolen funds were converted into TRX using SunSwap and later gathered into a single TRON address.
The report also highlighted that TokenSpot, believed to be linked to Garantex, was impacted at roughly the same time. Two of its wallets transferred funds to the same destination address used in the Grinex incident. Both platforms reportedly went offline on April 15, suggesting they may have been targeted by the same attacker.
Grinex was established in Kyrgyzstan in December 2024, shortly before a coordinated enforcement action in March 2025 shut down Garantex, an exchange previously associated with high risk activity. After Garantex ceased operations, related Telegram channels began directing users to Grinex as an alternative platform offering similar services. These channels encouraged former users to migrate in order to regain access to funds that had been frozen.
This development prompted the United States Treasury’s Office of Foreign Assets Control to impose sanctions on Grinex, as well as individuals connected to Garantex and Old Vector, the issuer of the A7A5 token. Prior to its shutdown, Garantex had processed more than one hundred billion dollars in transactions while under sanctions since 2022.
The report also examined the role of A7A5, a ruble backed stablecoin issued by Old Vector. It found that Garantex wallets began shifting funds into A7A5 in early 2025 before enforcement actions took place. After the shutdown, former users received A7A5 balances on Grinex equivalent to their frozen holdings, allowing them to continue transactions within the new system.
Rise in Illicit Crypto Activity Linked to Russia
An earlier analysis by the same platform showed that illicit cryptocurrency inflows rose significantly in 2025, reaching around 158 billion dollars sent to suspicious wallets. This increase was largely attributed to Russia linked activity and improved tracking capabilities.
Despite this rise, such transactions still accounted for only about 1.2 percent of total on chain volume. A7A5 was identified as the largest contributor, responsible for approximately 72 billion dollars in inflows, followed by another 39 billion dollars linked to the A7 wallet cluster. Much of this activity was associated with Garantex, Grinex, and A7 related operations.#crypto#cryptonews https://coinsignals.net https://t.me/coinsignalpublic
