Grinex, a cryptocurrency exchange registered in Kyrgyzstan and linked to the Russian crypto market, has announced a temporary suspension of trading operations and withdrawals following an incident the platform itself described as a large-scale cyberattack on its wallet infrastructure. The news triggered significant attention across the market, because this is not merely a technical failure, but a possible loss of assets exceeding 1 billion rubles.
According to the exchange’s initial statements, more than 1 billion rubles were stolen in the attack, which is equivalent to roughly $13–15 million depending on the valuation method and exchange rates used at the time of analysis. At the same time, outside analytical companies specializing in blockchain transaction tracing estimate the total scale of the damage to be even higher than what Grinex stated in its first announcements.
Immediately after detecting the incident, the platform halted key operations, including trading and cryptocurrency withdrawals. For users, this became the most alarming signal, since such decisions are usually made when an exchange is trying to contain the damage, prevent further movement of funds, and conduct an internal investigation.
What happened to Grinex
According to the exchange’s statement, the attack targeted the wallet infrastructure directly, meaning one of the most sensitive elements of any cryptocurrency platform. The wallet systеm is responsible for receiving, storing, and sending digital assets, and its compromise can mean direct access by attackers to client funds or the platform’s reserves.
Grinex stated that it faced not a routine information security incident, but a coordinated and technologically sophisticated attack. In its public rhetoric, the exchange used extremely strong language, claiming that the attackers’ actions were aimed not only at the platform itself, but also at the financial infrastructure serving users from the region.
At the same time, such assessments currently remain the company’s own claims. No independent public technical report has yet been presented that would fully confirm the attack vector, the method of wallet compromise, the exact route of the stolen funds, or the full list of affected addresses.
How much may have been stolen
The exchange initially reported losses of more than 1 billion rubles. However, blockchain analysts indicate that the actual volume of stolen assets may be higher. According to several estimates, the total amount stolen approached $15 million, making this one of the most notable incidents of recent months among platforms operating in a sensitive regional jurisdiction and linked to the Russian crypto market.
The difference between the exchange’s own internal estimate and external analytical calculations may be explained by several factors. First, the exchange may have counted only the portion of assets that could be quickly identified immediately after the breach. Second, outside researchers may have included already consolidated funds that were moved to intermediate and final addresses. Third, the discrepancy may stem from revaluation after the assets were converted into other tokens.
That is why, in incidents like this, the final damage figure is often clarified over the course of several days or even weeks, once the full chain of fund movements becomes clear and the link between specific addresses and the attackers is confirmed.
How the stolen assets were moved
According to blockchain analysts, a significant portion of the stolen funds was moved through the Tron and Ethereum networks. After that, the assets were reportedly partially converted from USDT into TRX and ETH. Such a route appears logical from the attackers’ perspective, because stablecoins such as USDT can be frozen by the issuer if there is confirmed linkage to unlawful activity.
That is why rapid conversion of stablecoins into native blockchain assets is often used as a way to make freezing and further tracing more difficult. If the stolen funds remain in USDT, there is a risk that the token issuer may blacklist the addresses involved. If the assets are quickly converted into TRX or ETH, recovering them becomes significantly more difficult.
There were also reports of a wallet that held around 45.9 million TRX after consolidation. This may indicate that the stolen funds were gathered into one or several final addresses after passing through intermediate routes. This pattern is typical of attacks in which the perpetrators first rapidly withdraw assets from the target platform and then redistribute, convert, and attempt to obscure their origin.
Why the incident caused such a strong reaction
The situation around Grinex drew increased attention not only because of the large-scale cyberattack itself, but also because of the context in which the platform operates. The exchange is widely seen as a structure closely linked to the Russian cryptocurrency market. In addition, it is often described in analytical circles as a successor to, or continuation of, infrastructure that emerged after restrictive measures were taken against Garantex.
That context makes the story much more sensitive from the standpoint of geopolitics, regulation, and financial monitoring. Any incident involving such a platform is automatically viewed not only as a problem of the exchange’s internal security, but also as an event affecting sanctions pressure, cross-border crypto settlements, and the resilience of informal crypto infrastructure.
Against that backdrop, Grinex’s claims that the attack may have been carried out using resources available only to state or state-adjacent structures sound especially dramatic. However, without a transparent technical audit, such statements remain, for now, the platform’s own politically charged version rather than a proven conclusion.
Grinex’s connection to the Russian market
Grinex is registered in Kyrgyzstan, but within the crypto community it has long been associated with infrastructure oriented toward serving clients from Russia. For that reason, any problems affecting the platform are inevitably viewed through the broader question of how resilient and secure crypto exchanges are when they operate at the intersection of regional restrictions, sanctions pressure, and heightened attention from regulators.
In recent years, such platforms have found themselves in an especially difficult position. On one hand, they serve real demand from users seeking access to digital assets, exchange services, and withdrawals. On the other hand, they remain under constant scrutiny from analytical firms, government agencies, and stablecoin issuers capable of tracking large fund movements and blocking certain transaction chains.
Against that backdrop, any hack, especially one involving the withdrawal of large sums in USDT, TRX, and ETH, immediately goes beyond being an ordinary story about an exchange vulnerability and becomes an event with broader implications for the regional crypto market as a whole.
What the suspension of trading and withdrawals means
For the exchange’s clients, the main consequence of the incident was not the hack news itself, but the effective freezing of operations. When a crypto exchange halts withdrawals and trading, it almost always signals a period of high uncertainty. Users do not know how deep the problem really is, whether the platform has sufficient reserves, whether there is a chance of partial or full compensation, or when normal operations may resume.
Even if the exchange insists that the situation is under control, the lack of access to funds is always the greatest reputational blow for clients. For the market, this looks like a signal that the platform either cannot restore operations quickly or is not ready to assume obligations until its internal review is complete.
In practice, the period after such announcements often becomes decisive for the platform’s future. If the exchange quickly publishes a transparent action plan, confirms remaining reserves, discloses technical details, and offers a clear compensation mechanism, trust can at least be partially preserved. If the platform limits itself to general statements and provides no concrete deadlines, the level of trust usually continues to deteriorate.
Why the attackers chose Tron and Ethereum
The use of Tron and Ethereum in routing the stolen funds appears understandable. Tron remains one of the most popular networks for moving USDT due to its high speed and relatively low fees, especially when it comes to rapid transfers among a large number of addresses. Ethereum, in turn, offers broad liquidity and a large number of tools for swapping, routing, and further obscuring the origin of assets.
In addition, the presence of highly liquid markets for TRX and ETH makes them convenient assets for intermediate conversion. If the attackers were indeed trying to escape the risk of USDT freezing, converting funds into the native tokens of these networks may have been part of a pre-planned scheme. This once again shows how quickly attackers adapt to the specifics of the modern crypto market and use the differences between asset types to their advantage.
What this case shows the wider market
The Grinex case has become an illustrative example of several broader trends at once. First, even large or notable regional platforms remain vulnerable if their wallet infrastructure does not provide a sufficient level of protection. Second, the speed with which stolen funds can move across several networks shows that the response window after a breach is extremely short. Third, the very fact of rapid conversion from USDT into other assets confirms that the risk of centralized token freezing is something attackers already take into account during the planning stage of their operations.
This incident also once again raises the issue of transparency among centralized exchanges, especially those operating in a difficult political and regulatory environment. Users increasingly expect from platforms not only convenient interfaces and liquidity, but also clear proof of reserves, understandable custody architecture, transparent crisis-response rules, and readiness to communicate during emergency situations.
What comes next
At the time the incident was being discussed, Grinex limited itself to a statement about the suspension of operations and claims of an external attack. However, for clients and market observers, the key questions are entirely different: will the exchange be able to restore withdrawals, how large is the actual shortfall in assets, is there any compensation mechanism, and will a full technical report on the incident ever be published?
As long as those questions remain unanswered, the situation remains suspended. If the exchange manages to quickly demonstrate solvency and resume operations, the incident may remain a serious but survivable reputational blow. If the pause drags on and the scale of losses turns out to be higher than expected, the consequences for both users and the platform itself may become much more severe.
Conclusion
The suspension of trading and withdrawals at Grinex after a suspected cyberattack has become one of the most notable cryptocurrency incidents of recent days. According to various estimates, the attackers may have stolen between $13 million and $15 million, after which the funds were moved through Tron and Ethereum and partially converted into TRX and ETH.
For the exchange itself, this means a severe crisis of trust and the need to quickly prove the resilience of its infrastructure and the availability of resources to restore operations. For the market as a whole, it is yet another reminder that wallet infrastructure security, reserve transparency, and readiness for crisis scenarios remain critical conditions for the survival of any centralized crypto platform.