Russian-linked cryptocurrency exchange Grinex has paused all operations after hackers stole roughly 1 billion roubles, or about $13 million, in a cyber attack.
In a Thursday statement posted on its Telegram channel, the company said the digital traces pointed to a highly sophisticated operation backed by significant resources and advanced technology.
Grinex added that such capabilities are usually linked to state-level actors. However, there is still no independent proof to confirm these claims.
“The digital footprints and nature of the attack indicate an unprecedented level of resources and technologies available exclusively to entities of unfriendly states,” Grinex stated.
“According to preliminary data, the attack was coordinated with the aim of causing direct harm to Russia’s financial sovereignty,” it added.
Grinex says pressure had been building before the hack
The company also said its systems had been under pressure even before the hack. It reported repeated attempts to block crypto withdrawals outside the Commonwealth of Independent States (CIS). In addition, it faced sanctions-related restrictions and increased wallet tracking activity.
“Since the beginning of our work, the exchange’s infrastructure has been subjected to attacks,” a company representative said. Today, attempts to destabilize the domestic financial sector have reached a new level – the direct theft of assets of Russian citizens and companies using complex cyberattacks.”
Grinex did not describe the exact method hackers used to access its wallets. However, the exchange attached a file listing wallet addresses connected to the stolen assets. It urged investigators and blockchain analysts to help track the funds.
Grinex said the stolen funds were quickly swapped into TRX, which is the native token of the Tron blockchain. The funds were then moved to one wallet address. At the time of reporting, that wallet held about 45.9 million TRX, worth nearly $15 million.
After the breach, Grinex shut down all activity on its platform as a safety measure to protect its systems and stop any further damage. So far, the exchange has not said when services will be restored.
Sanctions and background scrutiny
Grinex was already under strong international scrutiny before the hack.
Authorities in the United States, the United Kingdom, and the European Union had placed sanctions on the exchange last year over concerns about its activities. Officials also raised claims that the platform may have supported Russia’s wartime financial operations.
The exchange, which operates from Kyrgyzstan but serves many Russian clients, launched in 2025 after the shutdown of Garantex, a Moscow-linked crypto platform that had earlier faced U.S. sanctions.
It has been reported that Grinex came up as an alternative, and users and liquidity moved to the new platform leaving the older platform.
A key reason Grinex has attracted attention is its link to A7A5, a ruble-backed stablecoin. Authorities have said the token was used to help users move funds outside traditional banking systems under sanctions pressure.
Over time, A7A5 became an important part of the exchange’s activity. It was used for cross-border payments and settlements, especially in situations where financial restrictions applied.
The token was widely traded on Grinex alongside other assets like rubles and stablecoins such as Tether.
Recent hacks deepen crypto security concerns
The Grinex breach came amid a fresh wave of attacks across the crypto market, showing that security risks are spreading well beyond one segment.
On Thursday, blockchain security firm CertiK said Rhea Finance, a DeFi platform built on NEAR Protocol, suffered an exploit that may have caused about $7.6 million in losses.
According to CertiK, the attacker likely used fake token contracts and newly created liquidity pools to drain funds.
Another recent case involved Hyperbridge, which lost about $2.5 million in an April 13 exploit targeting its Token Gateway.
The attacker exploited a flaw in proof verification, forged cross-chain messages, minted nearly 1 billion bridged DOT tokens, and then sold them into liquidity pools across Ethereum, Base, BNB Chain, and Arbitrum.
Earlier this month, attackers stole more than $280 million from Drift Protocol in one of the biggest DeFi hacks of 2026 so far. Blockchain security researchers said that the hack could be linked to North Korea-related actors.
In March, Resolv Protocol also suffered an attack after a private key was compromised. The attacker used that access to mint 80 million unbacked USR tokens and swap them for USDC, USDT, and ETH through decentralized exchanges.