---

Grinex, a Russia-linked cryptocurrency exchange registered in Kyrgyzstan and currently under U.S., UK, and EU sanctions, suspended all operations on April 16 after attackers drained more than one billion Russian roubles (approximately $13.1 million) from its crypto wallet infrastructure. The exchange shut down withdrawals, froze account transactions, and went dark at its Moscow City office, replacing its website with a maintenance notice.

According to crypto market reporting, the stolen funds were converted into TRX, the native token of the Tron blockchain, and routed to a single wallet holding roughly 45.9 million TRX, worth approximately $15 million at the time of reporting. No named blockchain analytics firm had independently confirmed this figure at the time of publication. Tron is a preferred chain for rapid laundering due to its low transaction fees and high throughput, making it attractive to those seeking to move large sums quickly. Grinex attributed the attack to foreign government entities, claiming the operation required "Unprecedented level of resources and technologies available exclusively to structures of unfriendly states." Independent blockchain forensics firms have not yet confirmed that attribution.

The exchange said it has contacted law enforcement, initiated criminal proceedings, and handed technical data from the attack to investigators. Management added: "We're fighting back, an active investigation is underway, and we have no plans to shut down."

---

A Successor Built for Evasion

Grinex is not a standalone company. It is the direct successor to Garantex, a Russian crypto exchange that OFAC sanctioned in April 2022 for processing more than $100 million in transactions linked to ransomware groups including Conti, Black Basta, LockBit, and Ryuk, as well as the Hydra darknet market. On March 6, 2025, a joint operation by the U.S. Secret Service, German police, and Finnish authorities seized Garantex's domain and froze between $26 million and $28 million in cryptocurrency. Tether simultaneously froze USDT wallets tied to the platform.

Grinex appeared four days later. Blockchain forensics firm Crystal Intelligence found that Grinex's domain was registered in 2024 through a Russian registrar, and that its email infrastructure was configured in December 2024, months before the Garantex seizure. Within hours of the Garantex shutdown, approximately $60 million in A7A5 tokens moved from Garantex wallets to newly created Grinex wallets on-chain. TRM Labs described Grinex's interface as closely mirroring Garantex's original design. Crystal Intelligence concluded that "Garantex transferred its liquidity and customer balances to Grinex, allowing it to continue operations despite the sanctions."

OFAC formally sanctioned Grinex on August 14, 2025, alongside three Garantex executives, six associated companies, and the A7A5 token itself. The UK followed on August 20, 2025. The U.S. State Department also issued reward offers of $5 million for Garantex leader Aleksandr Mira Serda and $1 million each for other named Garantex figures, underscoring the degree of U.S. law enforcement interest in dismantling the network. According to Elliptic, Grinex has processed an estimated $6 billion in total transaction volume since launch.

---

The A7A5 Connection

A7A5 is a ruble-pegged stablecoin (a token designed to hold a fixed value relative to a fiat currency) issued by Old Vector, a Kyrgyzstani firm backed by deposits at Promsvyazbank, a Russian state bank that serves defense contractors and is itself sanctioned. A7A5 functioned as the primary deposit and settlement mechanism on Grinex. Chainalysis estimated A7A5's total trading volume at between $51 billion and $93 billion. Leaked internal communications cited by Foreign Policy in March 2026 pointed to at least $56 billion in A7-related flows, touching intermediaries in China, Southeast Asia, and South Africa.

Putin attended a virtual ribbon-cutting for A7's Vladivostok branch in September 2025, offering a public endorsement of the stablecoin project. A7 Limited, the issuing entity, was founded by fugitive Moldovan oligarch Ilan Shor and is 49% co-owned by Promsvyazbank.

---

Regional Exposure: From Kerala to Kyrgyzstan to Cape Town

The Garantex-Grinex network has already produced one South Asian enforcement action. In March 2025, Lithuanian national Aleksej Besciokov, Garantex's alleged co-founder and operator, was arrested in Varkala, Kerala, at U.S. request. He now faces extradition proceedings on money laundering conspiracy charges. India's cooperation in this case signals growing bilateral law enforcement cooperation on crypto crime. Exchanges and developers in South Asia that processed any flows through Garantex or Grinex-linked wallets, including through USDT or A7A5 routing, may face compliance scrutiny as regulators improve their blockchain monitoring. That scrutiny is grounded in a pattern of escalating enforcement: India's Financial Intelligence Unit has been increasingly aggressive since its December 2023 show-cause notices to offshore exchanges, and the Besciokov arrest reflects that trajectory.

Kyrgyzstan, home to 126 licensed virtual asset service providers and $4.2 billion in VASP transaction volume in just the first seven months of 2024, has become the formal registration layer for Russia's offshore crypto architecture. The UK government explicitly cited Russia's exploitation of Kyrgyzstan's financial systems in its August 2025 sanctions announcement. The EU has applied additional pressure, threatening to restrict dual-use goods exports to Kyrgyzstan unless the country takes concrete action against these structures, a posture that leaves Bishkek with narrowing room to remain a passive host to sanctioned financial networks.

In South Africa, Finance Minister Enoch Godongwana announced on February 25, 2026 that draft regulations would bring crypto assets under the Currency and Exchanges Act, requiring central bank approval for cross-border crypto transfers. A High Court ruling in 2025, in the case of Standard Bank v. SARB, had found crypto outside existing exchange controls, a gap the government is now moving to close. Analysts expect regulators to cite incidents like the Grinex hack as concrete examples justifying tighter oversight of stablecoin and cross-border flows, consistent with the South African Reserve Bank's stated direction on digital asset supervision.

---

What Comes Next

The Chainalysis 2026 Crypto Crime Report documented a 694% increase in state-driven sanctions evasion volume in 2025, with Russia and Iran as the primary actors. The single TRX wallet holding the Grinex theft proceeds is now an identifiable on-chain target. Any exchange or DeFi protocol (decentralized finance platform) that becomes an exit point for those funds faces direct OFAC secondary sanction risk, a legal exposure that applies regardless of where a company is based or whether it operates in U.S. markets.

Grinex says it intends to resume operations. Given its history as a reborn sanctioned entity, how regulators and blockchain analytics firms respond to its next move will be a test case for whether sanctions enforcement has caught up with crypto's demonstrated capacity for serial reincorporation under new identities.