On April 16, 2026, roughly $13–15 million vanished from wallets held on Grinex, Russia's primary ruble-to-crypto exchange. The platform suspended all operations after a cyberattack drained approximately one billion rubles from user accounts. Funds remain frozen, access is blocked, and blockchain researchers across the world are asking the same question: who actually pulled this off?
From Garantex to Grinex: A Sanctions History the West Knows Well
Grinex did not emerge from nowhere. Its direct predecessor, Garantex, was sanctioned by the US Treasury's OFAC in 2022 for facilitating illicit transactions tied to ransomware groups and dark web markets. In March 2025, an international law enforcement operation seized its servers and domains. Within days, Grinex appeared online — same interface, same infrastructure, same user base.
Blockchain analytics firms Elliptic, TRM Labs, and Chainalysis have all confirmed the connection: Grinex shares ownership, customers, and infrastructure with Garantex. OFAC sanctioned Grinex in August 2025, formally describing it as "a continuation of Garantex's activities." The exchange also served as the primary hub for A7A5, a ruble-pegged stablecoin backed by sanctioned Russian bank Promsvyazbank and Moldovan oligarch Ilan Shor. In 2025 alone, A7A5 processed over $93 billion in transactions — roughly one-third of Russia's estimated import bill. A parallel financial infrastructure, built brick by brick to circumvent SWIFT.
The Attack: 12:00 UTC, 54 Wallets, $15 Million Moved
Elliptic tracked approximately $15 million in USDT leaving Grinex-linked wallets on April 16 at 12:00 UTC. The funds — predominantly on the TRON blockchain — were converted into TRX via SunSwap, the same decentralized exchange previously used by Garantex, and consolidated into a single address holding approximately 45.9 million TRX at the time of publication.
Grinex published a list of 54 affected wallet addresses and filed a complaint with Russian authorities. In a statement posted to its Telegram channel, the exchange attributed the attack to "special services of hostile states," claiming the operation was coordinated to "inflict direct damage on Russia's financial sovereignty."
False Flag or Exit Scam? The Question That Changes Everything
Here is where the narrative unravels. As Chainalysis noted in a report published April 18, 2026, when Western law enforcement agencies seize stablecoins, they freeze them through Tether — they do not convert them into TRX to make them unfreezable. That rapid conversion toward decentralized, non-freezable assets is the signature move of criminals trying to obstruct tracing. The same pattern was seen in prior illicit operations within the Garantex ecosystem.
TRM Labs identified approximately 70 addresses connected to the operation — 16 more than Grinex publicly disclosed — and found that TokenSpot, a Kyrgyz exchange closely tied to Grinex, was also hit within the same time window. Chainalysis does not rule out an inside job dressed as an external hack: Russia has a documented history of false-flag cyber operations, and an exit scam disguised as a hack is far from unprecedented in the crypto sector. On-chain investigator ZachXBT has repeatedly documented structural vulnerabilities of this type across centralized exchanges.
A Dark April for Centralized Exchanges
Grinex is not an isolated incident. Days earlier, Kraken deflected a criminal extortion attempt by insiders who had accessed data on 2,000 customers. The FBI confirmed that crypto fraud in the US exceeded $11 billion in 2025 — a 22% increase over the prior year.
The line between crime, geopolitics, and shadow finance has never been thinner. Grinex concentrates everything that makes this moment so complex for the crypto industry: increasingly aggressive sanctions regimes, shadow infrastructure built to evade them, and actors who may have every reason to make funds disappear without a trace — while pointing the finger at someone else.
Grinex users, meanwhile, cannot access their funds. No recovery timeline has been given. No guarantees offered. Exactly what happened to Garantex customers before them.
