Sanctioned Russian Exchange Grinex and Kyrgyzstani Exchange TokenSpot Hit in USD 15 Million Theft

On April 16, 2026, Grinex — the sanctioned Russian cryptocurrency exchange widely assessed as a successor to Garantex — announced it had been the victim of a cyberattack resulting in the theft of approximately USD 15 million (over 1 billion rubles) in user funds. The exchange suspended operations and filed a criminal complaint. TRM analysis indicates that TokenSpot, a Kyrgyzstan-based exchange with deep on-chain ties to Grinex, was likely targeted in the same operation.

Key takeaways

• Grinex, the sanctioned likely Garantex successor and one of Russia’s primary cryptocurrency financial channels, lost approximately USD 15 million in a cyberattack on April 16, 2026
• TRM identified approximately 70 addresses connected to the incident — roughly 16 more than Grinex publicly reported — with all known stolen funds converted to TRX via SunSwap and consolidated at a single TRON address
• TokenSpot, assessed by TRM as a likely Garantex front company, was simultaneously affected; two of its addresses sent funds to the same consolidation address used by Grinex-linked wallets and both were out of service on 15 April, suggesting they were hit by the same attacker
• The incident hit two exchanges critical to a broader Russian sanctions evasion network that has collectively processed hundreds of billions of dollars in transactions tied to Russian state-adjacent financial activity

{{horizontal-line}}

What did Grinex and Tokenspot say about the theft?

Grinex published a list of 54 wallet addresses it attributed to the attacker, alongside USD-equivalent amounts drained from each, and announced it had transmitted the information to law enforcement. Grinex claims the attack was carried out by “the special services of unfriendly states,” framing the theft as part of a systematic effort to damage Russia’s financial sovereignty. TRM has not independently verified that attribution.

TokenSpot’s Telegram channel announced “technical work” and a brief platform outage on April 15, followed by an announcement the following day that it had resumed full operations. TRM on-chain analysis identified two TokenSpot addresses that routed funds to the same consolidation address used by the Grinex-linked wallets, connecting the two incidents.

What TRM found on-chain

TRM analysis identified approximately 70 addresses connected to this incident — roughly 16 more than Grinex publicly disclosed. The stolen funds were predominantly USDT on TRON. The attacker converted those funds to TRX before consolidating the proceeds into a single address. At the time of writing, approximately 45.9 million TRX — equivalent to roughly USD 14.98 million — has reached that address. The attacker stole much less from TokenSpot – less than USD 5,000, sent to the same consolidation address.

Four Ethereum addresses are also associated with the incident. The destination of funds from those Ethereum addresses is still under investigation; this post will be updated if additional findings develop.

Based on the relatively low total value drained, the indiscriminate targeting of both large and small wallets across multiple platforms including TokenSpot — which has since resumed operations after claiming a technical issue — TRM assesses this incident was morelikely an external cyber operation rather than an exit scam. However, as the situation is still evolving, it is not possible to definitively rule out coordinated insider involvement at this time.

Grinex: a sanctioned exchange with extensive Russia ties

Grinex was incorporated in Kyrgyzstan in December 2024 — weeks before the March 2025 multinational law enforcement action that dismantled Garantex, one of the world’s most prolific high-risk cryptocurrency exchanges. Days after that takedown, Telegram channels affiliated with Garantex began promoting Grinex, offering “familiar functionality” and actively recruiting former Garantex clients to recover frozen assets.

On August 14, 2025, OFAC sanctioned Grinex, along with Garantex co-owners Pavel Karavatsky and Aleksandr Mira Serda, co-founder Sergey Mendeleev, and the A7A5 Kyrgyzstani token issuer Old Vector. The designations identified Grinex as a continuation of Garantex’s sanctions-evasion infrastructure. Before its takedown, Garantex had processed over USD 100 billion in transactions despite being under OFAC sanctions since April 2022, with 82% of its total volume linked to sanctioned entities globally.

Central to Grinex’s operations was A7A5, a Russian ruble-backed stablecoin issued by Old Vector. Garantex wallets began moving funds into A7A5 as early as January 2025 — weeks before the enforcement action — indicating deliberate advance planning. Former Garantex customers received A7A5 credits equivalent to their frozen balances, redeemable on Grinex.

TokenSpot: a Russian crypto foothold in Central Asia

TokenSpot is registered in Kyrgyzstan and processed over USD 4 billion in transaction volume between December 2023 and March 2026 — a scale that dwarfs what legitimate retail exchanges in Central Asia would likely produce. TRM assesses that TokenSpot likely functions as a front company for Garantex, based on on-chain analysis including overlapping transaction patterns and network infrastructure shared with Garantex wallet clusters.

The platform’s financial ties to the broader network are direct. TokenSpot transferred a combined USD 88 million to Garantex and Grinex and received over USD 12 million back from Grinex, according to on-chain data. Its largest single counterparty is A7, the sanctions evasion network at the core of Russia’s parallel financial infrastructure: TokenSpot sent over USD 257.5 million to A7. 

TokenSpot’s illicit exposure extends beyond the Garantex ecosystem. TRM traced nearly USD 1 million received by TokenSpot addresses from a wallet OFAC sanctioned for laundering money on behalf of the Houthis — a wallet linked to Russia-based Afghan businessmen involved in procuring weapons and stolen Ukrainian grain for Houthi operations. TRM has also used on-chain tracing to confirm open source reporting linking TokenSpot transactions to a payment made as part of InfoLider, a Russia-backed influence operation in Moldova that reportedly paid individuals to promote pro-Russian narratives and participate in anti-government demonstrations.

‍

TRM will continue to monitor the movement of funds from this theft and will add information as warranted.

‍

{{horizontal-line}}

Frequently asked questions (FAQs):

1. What is Grinex and why does it matter?

Grinex is a Kyrgyzstan-registered cryptocurrency exchange that emerged as Garantex’s successor within days of the March 2025 law enforcement action that dismantled it. OFAC sanctioned Grinex in August 2025. Before its takedown, Garantex processed over USD 100 billion in transactions despite OFAC sanctions since April 2022, with 82% of its volume linked to sanctioned entities globally. Grinex continued operating within the same network.

2. What is TokenSpot?

TokenSpot is a Kyrgyzstan-registered exchange that TRM assesses is a likely front company for Garantex, based on on-chain analysis. Between December 2023 and March 2026, it processed over USD 4 billion in transaction volume. Its financial ties include USD 88 million transferred to Garantex and Grinex and over USD 257.5 million sent to the A7 sanctions evasion network.

3. How were the stolen funds moved?

The attacker converted stolen USDT on TRON to TRX via SunSwap, a TRON-based decentralized exchange, and consolidated the proceeds into a single address. At the time of writing, approximately 45.9 million TRX — equivalent to roughly USD 14.98 million — has reached that address. TRM is continuing to monitor fund movements.

4. Who does Grinex claim is responsible for the attack?

Grinex claims the attack was carried out by “the special services of unfriendly states,” framing it as economic warfare targeting Russia’s financial sovereignty. TRM has not independently verified that attribution.

‍

‍