Sanctioned crypto exchange Grinex said it has suspended trading after losing more than 1 billion Russian rubles ($13.7 million) to an attack bearing signs of involvement by foreign intelligence agencies.

The exchange, which is registered in Kyrgyzstan but has been linked to Russia’s crypto ecosystem and alleged sanctions evasion, said on Thursday that the funds were taken from 54 addresses and that the digital footprint and nature of the attack indicate an “unprecedented level of resources and technology available only to entities of hostile states.”

“Due to the attack, the Grinex exchange has been forced to suspend operations. All available information has been transferred to law enforcement agencies. A criminal complaint has been filed at the location of the infrastructure,” it added.

Grinex had been widely seen as the successor to the similarly sanctioned Garantex exchange. Both have been accused by US authorities of assisting Russia and other entities in evading sanctions and laundering funds for Russia-linked hackers.

Elliptic founder Tom Robinson has accused it of being the primary platform for trading A7A5, a ruble-backed stablecoin linked to sanctions evasion.

A Grinex spokesperson told Cointelegraph last year that it strongly condemns any form of illegal activity, including sanctions evasion and money laundering.

Another exchange might have been hit by the same attacker

Grinex may not have been the only exchange targeted. Blockchain intelligence company TRM Labs said on Thursday that two wallets from TokenSpot, a Kyrgyzstan-based exchange with on-chain links to Grinex, sent around $5,000 to the same consolidation address used by the Grinex attacker.

TokenSpot’s Telegram channel announced technical work and a brief platform outage on April 15, followed the next day by an announcement that it had resumed full operations.

At the same time, TRM Labs said it has identified 16 additional addresses linked to the incident in addition to those Grinex publicly disclosed. The consolidation address where all the funds have been sent contains 45.9 million TRON (TRX), worth nearly $15 million.

Hacker might have stolen $15 million in USDT

Blockchain analytics firm Elliptic said it tracked about $15 million in USDt (USDT) leaving Grinex accounts. The funds were then sent to accounts on the Tron or Ethereum blockchains.

Related: Ukraine arrests FBI-wanted cybercrime suspect, seizes $11M in assets

“This USDT was then converted to another asset, either TRX or ETH. By doing so, the thief avoided the risk of the stolen USDT being frozen by Tether,” the company said.

This is not the first time an exchange accused of helping entities evade US sanctions has been targeted. Iran-based exchange Nobitex had $81 million drained in June 2025, with a pro-Israel hacker group claiming responsibility.

Magazine: Singapore isn’t a ‘crypto hub’ — it’s something better: StraitsX CEO