Pierluigi Paganini
April 17, 2026
Kyrgyz crypto exchange Grinex halted operations after a threat actor stole $13.7 million in a cyber attack that the company attributes to Western intelligence agencies. The stolen funds belonged to Russian users, as the platform supported crypto-ruble transactions for businesses and individuals, raising geopolitical tensions around the incident.
Grinex is a crypto-ruble exchange serving Russian-speaking users and operating under CIS law.
The crypto exchange revealed that hackers stole over 1 billion rubles ($13.1 million) from Russian users’ crypto wallets. Grinex reported the incident to law enforcement and filed a criminal complaint where its infrastructure is located.
“Grinex, a leading crypto-ruble exchange that facilitates digital asset transactions between Russian businesses and individuals, was subjected to a large-scale cyberattack with indications of involvement by foreign intelligence agencies.” reads the press release published by the exchange. “The digital footprint and nature of the attack indicate an unprecedented level of resources and technology, accessible only to entities of hostile states.”
Early findings suggest the attack aimed to damage Russia’s financial sovereignty.
In 2025, Grinex acquired clients and infrastructure from Garantex after an international law enforcement operation led by U.S. Secret Service seized the website (“garantex[.]org”) of the sanctioned Russian crypto exchange Garantex.
In February 2025, the EU announced sanctions on Garantex for ties to sanctioned Russian banks (Sberbank, T-Bank, and Alfa-Bank), leading Tether to block its wallets.
The Kyrgyz crypto exchange helped return over 2.5 billion rubles in crypto previously frozen by Tether. The press release includes the list of wallets from which funds were stolen.
Blockchain security firm Elliptic reported that hackers moved about $15 million in USDT to other wallets, then quickly converted it into TRX or ETH to avoid the risk of Tether freezing the funds.
“These accounts have outgoing transactions totaling approximately $15 million in USDT, at around 12:00 UTC on Wednesday. These funds are then sent to further accounts on the TRON or Ethereum blockchains.” read the report published by blockchain security firm Elliptic. “This USDT was then converted to another asset, either TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Crypto)
