Russian crypto exchange Grinex has paused all operations after a hack that saw approximately 1bn roubles ($13mn) stolen from user funds, according to a statement posted on Telegram.
Russian Crypto Exchange Grinex Pauses Operations After $13mn Hack
17 April 2026 - 09:40 CEST
Grinex, the successor to the previously sanctioned exchange Garantex, said it believes the attack was carried out by foreign intelligence services of unfriendly states.
Alleged state involvement
The exchange claimed that digital traces and the sophistication of the attack pointed to resources and technology available only to state-level actors.
"Digital traces and the nature of the attack indicate an unprecedented level of resources and technology available exclusively to entities from unfriendly states," Grinex said on Telegram. "According to preliminary data, the attack was coordinated with the aim of inflicting direct damage on Russia’s financial sovereignty."
If confirmed, the alleged involvement of state actors would represent a notable escalation in the use of cyber operations against crypto platforms tied to geopolitical conflicts.
The US Treasury’s Office of Foreign Assets Control (OFAC) has designated Grinex as Garantex’s successor, stating that it was created by Garantex employees to continue sanctions-evasion activities after law enforcement actions disrupted the original platform in March 2025. Grinex has faced parallel sanctions from the US, UK and EU.
Stablecoins used to bypass sanctions
The platform has served as the primary venue for trading A7A5, a ruble-backed stablecoin issued by Kyrgyzstan-based Old Vector LLC. The token is backed by ruble deposits at Promsvyazbank (PSB), a Russian state-owned bank that specializes in serving the country’s defence sector and is under sanctions from the US, UK and EU.
Garantex and now Grinex used the token to help users move value while circumventing Western sanctions on Russia. A7A5 saw daily transaction volumes peak at $1.5bn late last year and accumulated roughly $100bn in total volume within a year of launch.
Broader hack wave exposes sector risks
The Grinex breach adds to a series of high-profile attacks on digital asset platforms recently. In early April, Solana-based decentralized perpetuals exchange Drift Protocol suffered a roughly $280mn exploit. That hack has been linked to North Korean hacking groups, including the Lazarus Group.
State-backed actors have grown more active in targeting crypto infrastructure. Total proceeds from crypto-related hacks and exploits reached an estimated $6.8bn in recent periods, with a significant portion occurring over the past year.
These incidents show both the large amounts of capital now flowing through digital asset platforms and the uneven state of security practices across the industry. While major regulated exchanges have strengthened defences, smaller or geopolitically exposed platforms remain vulnerable to advanced persistent threats.
Grinex has suspended withdrawals and trading, with no immediate timeline announced for resumption or any compensation plan for affected users. The exchange stated it is conducting an active investigation but provided no details on potential recovery of stolen funds.
The Grinex incident also draws attention to the intersection of crypto infrastructure and international sanctions enforcement, where platforms operating in complex jurisdictions can become targets in broader economic conflicts.
