The World's Most Sanctioned Crypto Exchange Just Got Hacked — and It's Blaming the CIA
An exchange that spent years helping ransomware gangs, darknet markets, and sanctioned entities launder money just had $13–15 million drained from its users’ wallets. Now it’s blaming the CIA.
Welcome to Grinex. Population: one very bad week.
What Just Happened
On April 16, 2026, Grinex — a Kyrgyzstan-based crypto exchange — announced it was suspending all operations after a “large-scale cyberattack.” The exchange claimed the hack bore “signs of involvement by foreign intelligence services of unfriendly states,” per their Telegram channel. Translation: they’re saying Western spies did it.
Blockchain intelligence firm Elliptic tracked approximately $15 million in USDT leaving Grinex wallets shortly after the incident, while the exchange itself acknowledged over 1 billion rubles ($13.1 million) stolen from user accounts. TRM Labs noted that TokenSpot, a linked Kyrgyzstani token issuer, was simultaneously hit in what appears to be a coordinated operation.
Trading, deposits, and withdrawals are all halted. The exchange says it’s working with law enforcement to open a criminal case — a sentence that lands differently when the entity in question is itself the subject of U.S. Treasury sanctions.
Who Is Grinex? (You Already Know This Exchange)
Grinex is Garantex 2.0 — and that’s not speculation, it’s documented fact.
Garantex was a Russian crypto exchange sanctioned by OFAC in April 2022 for processing over $100 million in illicit transactions linked to ransomware affiliates including Conti, LockBit, Black Basta, Ryuk, and NetWalker, plus major darknet marketplace Hydra. For years it operated openly, serving as a critical financial artery for Russia’s cybercriminal ecosystem.
In March 2025, a coordinated multinational law enforcement action finally dismantled Garantex. Within days, Telegram channels affiliated with the exchange began promoting Grinex — a freshly incorporated Kyrgyzstani exchange that offered “familiar functionality” and actively recruited former Garantex clients to recover their frozen assets. Same team, new shell.
The U.S. didn’t miss it. In August 2025, OFAC sanctioned Grinex along with Garantex co-owners Pavel Karavatsky and Aleksandr Mira Serda. Grinex kept running anyway — it had processed billions of dollars in crypto transactions since its December 2024 creation.
Now, seven months after being sanctioned, it’s dark.
The Irony Is Doing Heavy Lifting
Let’s be clear about what happened here: an exchange that existed specifically to help entities evade Western sanctions and law enforcement just had its users’ funds drained — and responded by accusing the West of attacking it.
There’s no independent evidence confirming the “foreign intelligence” theory. No attribution from any blockchain security firm. No on-chain indicators of a state-level actor. What there is evidence of is $15 million leaving wallets right before the exchange went silent.
The “blame Western spies” narrative also serves a convenient purpose: it frames Grinex as a victim of geopolitical warfare rather than a sanctioned criminal enterprise that failed to protect its users. Russian retail depositors who trusted a sanctioned exchange with their funds are the actual victims here.
What Happens to User Funds?
Unclear — and that’s the charitable answer. Grinex has “paused all exchange activity” and says it’s cooperating with law enforcement. But:
- The exchange itself is under U.S., U.K., and EU sanctions
- Its leadership is individually sanctioned
- Its operating jurisdiction (Kyrgyzstan) has limited enforcement infrastructure
- And the “foreign intelligence” claim, if taken seriously, implies the funds may already be gone
Users of sanctioned exchanges have essentially no legal recourse under Western law. Russian users may have some options via domestic legal channels, but recovery history for exchange hacks in this space is grim.
Why This Matters for Crypto Jobs
Events like this create real hiring pressure across several verticals:
Blockchain forensics and compliance is booming. Firms like Elliptic, TRM Labs, and Chainalysis that tracked this hack in real time are staffed by analysts who map on-chain fund flows for exactly these moments. These roles — blockchain investigator, sanctions compliance analyst, crypto AML specialist — are among the fastest-growing in the industry.
Exchange security engineering is a perpetual growth area. Every major hack drives a wave of hiring at centralized and decentralized exchanges for security architects, smart contract auditors, and threat intelligence analysts.
Regulatory and policy roles at both crypto companies and traditional financial institutions are expanding as governments escalate enforcement actions. If you’re a lawyer, policy analyst, or compliance professional who understands crypto, your career options have never been better.
The Grinex story is a reminder that “crypto compliance” isn’t a checkbox — it’s an entire ecosystem of jobs that didn’t exist a decade ago.
Looking to work in blockchain security, compliance, or DeFi infrastructure? Browse open roles at cryptogrind.com — the job board built for crypto builders.
