Kyrgyzstan-based crypto exchange halts trading after $15M USDT cyberattack and wallet breach

Crypto exchange based in Kyrgyzstan, Grinex, halted all trading activity after hackers stole more than $15 million USDT from its wallets. The exchange issued a public statement confirming the attack, while British blockchain analytics firm Elliptic tracked the stolen funds and found that the attackers moved them to avoid detection.

The incident comes amid a broader wave of attacks targeting crypto exchanges globally in 2025 and 2026, where hot-wallet vulnerabilities and signing-flow compromises have remained the most exploited entry points.

Hackers stole money and stopped Grinex trading

Hackers raised concerns about the safety of user funds on crypto exchanges after breaking into Grinex’s wallet system and stealing more than 1 billion rubles (about 13-15 million US dollars in USDT). The funds were swiftly moved across multiple blockchain addresses.

While investigations into the Kyrgyzstan exchange breach are still ongoing, the incident adds to mounting concerns about the security posture of smaller and mid-tier crypto trading platforms operating in jurisdictions with limited regulatory oversight.

To prevent further damage, the exchange froze all platform activity, including withdrawals, leaving many users unable to access their funds. Grinex described the attack as highly coordinated and said the hackers were skilled individuals using advanced tools and resources to breach the system. The company even claimed foreign intelligence services may be involved, and the goal was to damage Russia’s financial system and its independence.

However, the source of the attacks remains unknown, as there’s no clear evidence supporting claims of foreign involvement. 

At the same time, Grinex said it had faced similar problems in the past, including pressure from sanctions, transaction restrictions, and repeated minor attacks, which forced it to respond harshly.

The exchange took legal steps to file a criminal complaint and even shared all available information with law enforcement agencies for easier data tracking.

The incident showed just how much exchanges linked to sanctioned systems often face higher risks, including cyberattacks, greater regulatory scrutiny, and increased pressure from external actors.

Similarly, the event exposes weaknesses in centralized exchanges that hold large amounts of user funds in a single location, underscoring the need for stronger security as attackers become increasingly sophisticated by the day.

Attackers move stolen funds to hide them

The Grinex hackers immediately moved the stolen USDT using blockchain tools to slow down law enforcement tracking.

According to Elliptic reports, the attackers quickly sent the stolen USDT across multiple wallets and networks, including Tron and Ethereum, making tracking even more difficult. They then converted the stolen USDT into other assets, such as TRX and ETH, because Tether controls USDT and could easily freeze funds linked to a crime.

Finally, the hackers reached consolidation, during which they moved the funds into a single main wallet holding 45.9 million TRX (about $15 million) to decide whether to hold, move again, or cash out.

The entire event shows common cybercrime behavior that relies on decentralized tools due to a lack of central authority, allowing criminals to move funds without being stopped. 

Experts have already reported such patterns in stablecoin risks, including chain-hopping (moving funds across different blockchains to avoid detection) and layering (using multiple wallets to spread funds across different addresses).

Grinex is widely seen as a successor to Garantex, a major crypto exchange that shut down after sanctions from the United States, the European Union, and the United Kingdom over allegations of money laundering.

However, even after Garantex shut down in 2025, its users and liquidity moved to other platforms, and one of the main targets was Grinex. This migration made Grinex an essential trading hub for users handling rubles and crypto.

It also became a center for stablecoin activity, such as the ruble-backed stablecoin A7A5, but this complicated matters because the token is also backed by deposits held by institutions that faced sanctions. 

A7A5 also runs on blockchains like Ethereum and Tron, enabling it to cross borders easily and support very large transactions. 

Interestingly, only a small number of wallets control a large share of these transactions, keeping activity concentrated among a few key players and increasing the risk of sanction evasion.

According to Elliptic, these sanctions actors use stablecoin to bypass financial restrictions, so the Grinex hack connects to how platforms that operate in certain regions become useful tools and major targets.

The whole situation puts more pressure on exchanges to improve their safety measures and detect unusual behavior before it turns into a major loss. At the same time, attackers continue to adapt by switching between assets and using tools that are harder to control.

Still letting the bank keep the best part? Watch our free video on being your own bank.