---

Grinex, a Kyrgyzstan-registered crypto exchange linked to Russia and already under U.S. sanctions, halted all operations on Wednesday after attackers drained approximately $15 million in USDT from user wallets around 12:00 UTC. The exchange blamed the attack on what it called "special services of unfriendly states," a phrase mirroring Kremlin diplomatic language for Western governments. No independent evidence has confirmed that attribution.

On-chain data tracked by blockchain analytics firm Elliptic shows the stolen funds were quickly converted from USDT to TRX (Tron's native token) and ETH (Ether, the native token of Ethereum). The conversion happened fast enough to outrun a potential freeze by Tether, the company that issues USDT and holds the technical authority to blacklist wallets holding its token. The attackers then spread the funds across both the Tron and Ethereum networks, complicating recovery efforts. Grinex's own statement cited losses of "over 1 billion rubles," equivalent to roughly $13.1 million at current exchange rates, a figure about $1.9 million lower than Elliptic's on-chain estimate.

The gap between those two numbers matters. When an exchange self-reports a lower loss figure than what public blockchain data shows, it raises questions about transparency, especially for an exchange that has operated under U.S. Treasury sanctions since August 14, 2025. The Office of Foreign Assets Control (OFAC) designated Grinex that day as the direct successor to Garantex, a previously sanctioned Russian exchange that processed an estimated $96 billion in transactions between April 2019 and March 2025 before law enforcement shut it down. Garantex was originally registered in Estonia. Grinex's reregistration in Kyrgyzstan represents a deliberate jurisdictional shift, part of the evasion architecture that allowed operations to continue across borders.

"Liquidity and users of the sanctioned Garantex exchange have flowed into Grinex over the past year," Elliptic noted in a report cited by The Block.

Garantex was not simply replaced by Grinex. The transition was planned well in advance. Crystal Intelligence found that the Grinex domain was registered through a Russian registrar months before Garantex was seized, with email infrastructure configured as early as December 18, 2024. When U.S. and European authorities, led by the U.S. Secret Service, shut Garantex down on March 6, 2025, seizing servers in Germany and Finland and freezing over $26 million in crypto, Grinex went live just four days later.

The migration of roughly $60 million in user funds from Garantex to Grinex was facilitated through A7A5, a ruble-pegged stablecoin developed by A7 LLC, a Moscow-based fintech backed by Russian state-owned bank Promsvyazbank. Tokens were burned from frozen Garantex wallets and minted into Grinex wallets within minutes, a process that effectively erased prior transaction histories. Chainalysis and TRM Labs have estimated A7A5's total transfer volume at between $51 billion and $93.3 billion across its operational lifespan.

"Garantex anticipated a potential domain seizure and proactively established Grinex as its successor," Crystal Intelligence wrote in its 2025 investigation report.

Before Wednesday's suspension, Grinex had processed more than $6 billion in total historical transactions and served as the primary trading venue for A7A5. Elliptic's February 2026 report identified four other exchanges filling the void left by Garantex, including Rapira, which conducted more than $72 million in direct transactions with Grinex; Exmo, which conducted over $19.5 million in direct transactions with sanctioned entities; and ABCeX, which processed over $11 billion with flows traceable to Garantex, Aifory Pro, and affiliated entities.

Regional implications extend well beyond Russia. Grinex's Kyrgyzstan registration is not incidental. The country has emerged as a preferred jurisdiction for Russia-linked crypto entities, offering lighter regulatory oversight that enables operational continuity when stricter jurisdictions become untenable. This pattern mirrors regulatory arbitrage documented across parts of South Asia and East Africa, where gaps in oversight create corridors for sanctioned financial flows.

India became an unexpected enforcement hub in this saga when Garantex co-founder Aleksej Besciokov was arrested in Varkala, Kerala in March 2025 at the request of U.S. authorities. The arrest carried added significance because India has generally maintained strategic ambiguity on Russian sanctions in other policy domains, making the Kerala detention a meaningful signal that the country's financial intelligence apparatus is increasingly coordinated with Western compliance frameworks. It was one of the first times a major Russian crypto executive was detained in South Asia under extradition law. Co-founder Aleksandr Mira Serda, separately indicted by the U.S. Department of Justice, was not arrested and is believed to be in the UAE. For Indian crypto exchanges and peer-to-peer traders, any counterparty exposure to A7A5, Grinex, or affiliated entities now carries serious regulatory risk. In sub-Saharan Africa, TRM Labs identified South Africa as a jurisdiction through which A7A5-linked shell companies routed funds, a pattern that shows how regional financial infrastructure can be pulled into state-level evasion networks without local actors necessarily knowing it.

The collapse of Grinex follows a broader surge in crypto-based sanctions evasion. Chainalysis reported a 694 percent year-over-year increase in state-driven sanctions evasion activity in 2025, with Russia-linked flows accounting for the majority of an estimated $104 billion total. With Grinex now offline and its users holding inaccessible funds with uncertain prospects for recovery, the episode reinforces a straightforward lesson for exchange users in any jurisdiction: platforms operating at the legal margins provide no meaningful protection when things go wrong. Investigators will now watch where Grinex's remaining liquidity migrates next and whether, as analysts have warned may happen, a successor platform is already taking shape.