Grinex: The Russia-Linked Exchange That Got 'Hacked' By Itself

$13.74M drained across 54 wallets. Grinex blamed hostile foreign intelligence. Chainalysis hinted at a false flag exit scam.

Grinex blamed Western intelligence for its $13.74M 'hack'. Chainalysis suggested a false flag exit scam

On April 15, 2026, Grinex announced it had been hacked. The Russia-linked, Kyrgyzstan-based crypto exchange said roughly $13.74 million in USDT had been drained across 54 wallets. The funds were converted via SunSwap. The exchange suspended operations, filed a complaint, and blamed "hostile foreign intelligence agencies." Chainalysis took one look at the on-chain data and suggested the whole thing was a false flag exit scam.

To understand Grinex, you have to understand Garantex. Garantex was the Russian crypto exchange the US Treasury sanctioned for laundering ransomware proceeds and helping sanctioned entities move money out of Russia. In March 2025, German and US authorities seized Garantex's infrastructure, froze $26 million in Tether, and indicted its administrators. The exchange was effectively destroyed.

Grinex appeared shortly after. Same client base. Same kind of customers. Same Russian-language interface. Operating out of Kyrgyzstan, conveniently outside both EU and US enforcement reach. The crypto industry called it what it was: a Garantex successor. Independent investigators traced executive overlaps and customer bridges between the two. Grinex denied everything, kept operating, and processed billions in USDT volume through 2025 and early 2026.

Then April 15 happened. The story Grinex told was simple. An attacker got into 54 hot wallets and drained $13.74 million in USDT. Funds were swapped to TRX via SunSwap, the Tron-based DEX known for being a laundering convenience. The exchange paused withdrawals and posted a notice that it suspected "Western intelligence services" of coordinating the attack to disrupt sanctioned Russian crypto flows. They said they had filed a complaint with Kyrgyz authorities. The complaint went exactly nowhere.

Chainalysis ran the on-chain data. The pattern did not look like a sophisticated state attack. It looked like coordinated outflows from wallets the exchange itself controlled. The "hacker" moved with the speed and coordination of someone who already had the keys. There was no breach signature. There was no attempt to evade exchange-side detection. The funds went straight to SunSwap and dispersed.

The blockchain analytics firm noted, carefully, that the event "could be a false flag" - the technical term for staging a hack to cover an exit scam. The theory: Grinex's operators saw the writing on the wall. Western enforcement was tightening. The Garantex precedent meant a seizure was eventually coming. Better to drain the exchange yourself, blame foreign spies, and walk away with the money than wait for a court order.

The exit scam theory has historical precedent. QuadrigaCX founder Gerald Cotten faked his own death to steal $250 million. Africrypt's Cajee brothers blamed a hack for $3.6 billion in missing crypto and disappeared. Chinese exchanges have a long history of "getting hacked" right before regulators move in. Grinex fit the pattern almost too well.

What is unusual is the messaging. Most exit scams keep quiet. Grinex went straight to public accusations against foreign governments. That is either an exchange genuinely furious about a state attack, or an exchange leaning into the geopolitical narrative because it gives Russian-speaking customers a reason to sympathize rather than demand refunds. The company has continued posting updates blaming Western intelligence, none of which are corroborated by any neutral observer.

For users with funds on Grinex, the situation is grim. The exchange remains technically operational but withdrawals are still suspended as of May 2026. No timeline for resumption. No deposit insurance. No US or EU jurisdiction to appeal to. Russian customers have no realistic path to recovery. Sanctioned customers have less than that.

The $13.74 million is gone. SunSwap conversions make Tron-side tracing harder, and Tron's voluntary cooperation with Western law enforcement is, generously, inconsistent. The funds have likely been moved through OTC desks, mixed with legitimate-looking flows, and either cashed out through Russian payment processors or held in cold storage waiting for the heat to die down.

Whether Grinex was actually hacked or staged its own collapse, the result is the same. Customers cannot withdraw. The exchange has plausible deniability. The operators have $13.74 million more than they had on April 14. And the Garantex playbook just got a sequel.