Grinex Hack: Hackers Stole $6.5 Million, But It Wasn't a State-Sponsored Operation
The Grinex crypto exchange lost over $6.5 million in a hacker attack—but experts believe this was the work of ordinary criminals rather than foreign intelligence agencies. For users, this serves as an important warning: even if an exchange is under sanctions, its vulnerabilities can be exploited by run-of-the-mill cybercriminals, not nation-states.
Why This Looks Like a Run-of-the-Mill Robbery
Analysts at BitOK examined the transactions following the breach and concluded that the attackers’ actions were far too straightforward to qualify as a state-sponsored operation. Instead of employing complex money-laundering schemes involving dozens of wallets, the hackers quickly transferred nearly the entire stolen amount—about 45.9 million TRX—to a single address and then cashed it out through the decentralized exchange SunSwap.
State-backed hackers typically operate differently: they meticulously cover their tracks, distribute assets across multiple chains, and avoid drawing attention. In this case, however, everything played out the opposite way—as if a robber had burst into a bank, grabbed the cash, and sprinted straight to the nearest currency exchanger.
Sanctions and Reality
Shortly before the attack, Grinex (legally registered in Estonia as Garantex) was added to the U.S. Treasury’s Office of Foreign Assets Control (OFAC) blacklist. This means U.S. companies are prohibited from doing business with it. Yet, as experts point out, if the U.S. or another country wanted to freeze the exchange’s assets, they wouldn’t need to hack it—they could simply pressure Tether, the issuer of USDT, the stablecoin that dominates the platform.
Tether could have easily frozen all wallets associated with Grinex, just as it has done previously with other sanctioned addresses. Therefore, the hack wasn’t a political act but rather a quick attempt to make easy money.
Key Takeaways
- The damage totaled $6.56 million, which is relatively small compared to the exchange’s daily trading volume ($1 billion), further suggesting no state involvement.
- The withdrawal method—using SunSwap and consolidating funds into a single wallet—is typical of criminal groups, not intelligence agencies.
- Lack of sophisticated obfuscation: there were no signs of mixing services, cross-chain bridges, or multi-stage routing being employed.
- Sanctions ≠ hacking: being on a sanctions list doesn’t turn a platform into a target for state-sponsored hackers; more often, it attracts cybercriminals instead.
- Risk for users: even sanctioned exchanges remain vulnerable to standard attacks, especially if they continue operating without robust security measures.
What Should Ordinary People Do?
If you hold assets on lesser-known or sanctioned exchanges—particularly those still operating “under the radar”—it may be time to reconsider. Such platforms often lack access to modern security tools and become easy targets. It’s best to store your cryptocurrency in a self-custody wallet (“not your key, not your coins”), especially when dealing with significant amounts.
Remember: sanctions don’t protect against hackers; on the contrary, they can make a platform even more vulnerable.
— Editorial Team