Grinex / TokenSpot Hack - April 16, 2026
The Incident
On April 16, 2026, Grinex — the sanctioned Russian cryptocurrency exchange widely assessed as a successor to Garantex — announced it had been the victim of a cyberattack resulting in the theft of approximately USD 15 million in user funds. The exchange suspended operations and filed a criminal complaint.
Connection to TokenSpot
TRM analysis indicates that TokenSpot, a Kyrgyzstan-based exchange with deep on-chain ties to Grinex, was likely targeted in the same operation. The attacker stole much less from TokenSpot — less than USD 5,000 — sent to the same consolidation address.
TRM Labs' Findings
• TRM identified approximately 70 addresses connected to this incident — roughly 16 more than Grinex publicly disclosed
• Stolen funds were predominantly USDT on TRON
• The attacker converted those funds to TRX before consolidating proceeds into a single address
• Indiscriminate targeting of both large and small wallets across multiple platforms
Technical Root Cause
While the precise technical root cause was not publicly disclosed, the pattern of access to multiple wallets across two related platforms strongly suggests private-key/operational compromise rather than a smart-contract exploit.
Grinex's Claims
Grinex claimed the attack was carried out by "the special services of unfriendly states," framing the theft as part of a systematic effort to damage Russia's financial sovereignty.
TRM Assessment
Based on the relatively low total value drained and the indiscriminate targeting pattern, TRM assesses this incident was more likely an external cyber operation rather than an exit scam — though some reporting (e.g. Fintelegram) characterizes the event as a possible exit scam disguised as a hack.
Aftermath
• Grinex suspended trading operations after the hack
• Filed a criminal complaint
• Operations remained paused following the incident, with some reports referring to a full shutdown
Sources