Grinex Exchange Halts Operations After Major Crypto Attack

Blockchain firms TRM Labs and Elliptic said the stolen funds were moved through multiple addresses and converted into assets like TRX and Ether. The incident came during a surge in crypto security breaches, with at least 12 DeFi protocols and crypto businesses targeted in just over two weeks after the $280 million Drift Protocol exploit on April 1.

Grinex Suspends Trading

Grinex, a crypto exchange registered in Kyrgyzstan but closely associated with Russia’s digital asset ecosystem, suspended trading operations after suffering a major cyberattack that resulted in losses exceeding 1 billion Russian rubles, or approximately $13.7 million. 

The company announced that funds were removed from 54 separate wallet addresses. It described the breach as highly sophisticated, and claimed the methods used suggested access to resources and technology typically associated with hostile state intelligence agencies. Grinex said it handed all available evidence to law enforcement authorities and filed a criminal complaint connected to the location of the affected infrastructure.

The exchange has attracted quite a bit of international scrutiny because of its alleged links to sanctions evasion. Grinex has often been described as the successor to Garantex, which is another crypto platform that was previously sanctioned and accused by United States authorities of helping Russian entities bypass restrictions and launder funds tied to cybercriminal activity. 

Analysts have also linked Grinex to the trading of A7A5, a ruble-backed stablecoin that critics say has been used in sanction-circumvention efforts. Despite these allegations, Grinex publicly denied involvement in illegal conduct and previously stated that it condemns sanctions evasion and money laundering.

New evidence suggests the attack may have extended beyond Grinex itself. Blockchain intelligence firm TRM Labs reported that two wallets connected to TokenSpot, another Kyrgyzstan-based exchange with on-chain links to Grinex, transferred around $5,000 to the same consolidation address allegedly used by the Grinex attacker. 

TokenSpot recently announced temporary technical maintenance and a brief outage on April 15 before restoring full operations the following day. While no direct accusation has been made, the timing and wallet activity raised some questions about whether TokenSpot was also affected.

TRM Labs also stated that it identified 16 more addresses linked to the incident beyond those publicly disclosed by Grinex. The main wallet receiving the stolen assets reportedly contains 45.9 million TRON tokens, which is valued at close to $15 million.

(Source: Elliptic)

Blockchain analytics company Elliptic said it traced approximately $15 million in Tether (USDT) leaving Grinex-controlled accounts. According to the firm, the stolen stablecoins were quickly converted into other digital assets like TRX or Ether. This conversion may have been intended to reduce the likelihood of Tether freezing the stolen funds.

12 Crypto Platforms Hit in Two Weeks

Shockingly, at least 12 decentralized finance (DeFi) protocols and crypto businesses have been targeted in just over two weeks since the major Drift Protocol exploit on April 1. 

The biggest breach in this recent wave was the $280 million exploit of Drift Protocol. The attack occurred on April 1, and is believed to have involved a prolonged social engineering campaign. Security analysts suspect actors linked to North Korea may have been involved.

Since then, a wide range of platforms have reported attacks or suspicious activity. Among those named are CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, Rhea Finance and Grinex. Both centralized and decentralized businesses are vulnerable.

Rhea Finance was among the latest victims after reporting that hackers exploited a flaw in its margin trading feature. According to the platform, attackers manipulated pools connected to the Rhea Lend smart contract and extracted approximately $7.6 million. Blockchain security firm CertiK said the exploit involved fake token contracts and newly created liquidity pools, likely designed to mislead the oracle and validation systems used by the protocol.

The Binance Smart Chain TMM/USDT liquidity pool reportedly suffered a reserve manipulation attack that caused losses of roughly $1.67 million. Bridge aggregator Dango lost about $410,000 due to a smart contract bug, while lending protocol Silo Finance was hit for $392,000 in an oracle-related exploit. Decentralized GPU cloud platform Aethir also lost approximately $423,000 in an access control breach.

The surge in attacks coincided with growing debate over the cybersecurity implications of advanced AI systems, including models like Anthropic’s Claude Mythos and similar technologies. Experts warn that future generations of AI could help attackers automate phishing campaigns, identify code vulnerabilities faster, and execute more complex fraud schemes.