Grinex, a cryptocurrency exchange widely understood to be a continuation of the US-sanctioned Garantex operation, suspended all services on April 17, 2026, following a targeted attack on April 15 that drained approximately 1 billion rubles ($13.74 million) from customer accounts. The exchange publicly attributed the incident to “hostile state intelligence agencies,” citing the attack’s technical sophistication and the absence of any ransom demand as indicators of state-backed motives.
Background: Grinex as Garantex’s Successor
Garantex was a Moscow-based cryptocurrency exchange sanctioned by the US Office of Foreign Assets Control (OFAC) in April 2022 for laundering funds linked to ransomware operations including Conti and darknet markets including Hydra. Rather than shut down following sanction, Garantex migrated its customer base to a successor platform operating as Grinex, using a ruble-backed stablecoin called A7A5 to maintain services for Russian customers unable to access sanctioned financial channels. Grinex continued serving as a significant node in the cryptocurrency infrastructure used to convert ransomware proceeds and circumvent Western financial sanctions.
The Attack
The incident occurred at approximately 12:00 UTC on April 15, 2026. Attackers drained customer funds and transferred the assets to external wallets on the TRON and Ethereum blockchains. The stolen USDT was rapidly converted to TRX and ETH to avoid Tether’s ability to freeze the tokens — a tactical step indicating familiarity with cryptocurrency forensic investigation methods. Blockchain analytics firms Elliptic and Chainalysis both confirmed they were tracking the funds but have not publicly attributed the attack to a specific actor.
Grinex’s public statement described the attack as having “capabilities typically available exclusively to the agencies of hostile states,” referencing the digital forensic evidence it claims to have gathered. No technical indicators were published to support the attribution.
Why Attribution Uncertainty Matters
The claim of Western intelligence involvement, if accurate, would represent a significant escalation of offensive cyber operations as an instrument of financial sanctions enforcement. The United States and its allies have previously relied on indictments, seizures of exchange infrastructure, and diplomatic pressure to enforce sanctions against cryptocurrency exchanges — direct theft from a sanctioned exchange via state-sponsored cyber operation would be a novel application of the same policy objective.
That said, Elliptic’s published analysis provides no corroborating technical evidence. Alternative explanations include an insider attack, a conventional criminal operation that timed its exit to maximise impact on a reputationally vulnerable target, or a sophisticated criminal group that recognised Grinex could not involve law enforcement without exposing its own sanctioned status.
From a defensive intelligence standpoint, the incident is notable regardless of attribution: it demonstrates that even sanctioned, deliberately opaque cryptocurrency infrastructure is not immune to catastrophic fund loss, which has implications for ransomware groups that rely on similar exchanges for proceeds conversion.
Impact on Russian Sanctions-Evasion Infrastructure
Grinex’s suspension removes a facility that ransomware operations used to convert cryptocurrency into spendable rubles, and that Russian entities used to access dollar-denominated assets despite OFAC restrictions. The exchange’s A7A5 stablecoin, designed to bridge sanctioned and unsanctioned financial systems, also ceases operation with the shutdown.
Whether Garantex/Grinex will re-emerge under a third name remains to be seen. The pattern following the 2022 Garantex sanction was exactly this: rebrand and continue. The April 2026 attack eliminates the operational entity but does not necessarily prevent a successor.
Implications for Crypto Asset Risk
- Ransomware payment intelligence: Threat intelligence teams that track ransomware payment flows should note the removal of a major conversion point; affected ransomware groups may pivot to alternative exchanges or on-chain mixing services
- Due diligence on crypto exposure: Organisations with significant cryptocurrency holdings should review their exposure to exchange counterparties and assess whether any relationships exist with entities on OFAC’s designated list
- Regulatory clarity for exchanges: The Grinex shutdown reinforces the operational risk of maintaining customer asset custody at exchanges operating in sanctioned jurisdictions or under sanctioned entities, even when marketed under a different name
Share this article