How Hackers Stole 1 Billion Rubles from a Russian Crypto Exchange in Five Minutes
Hackers withdrew over 1 billion rubles (approximately $14 million) from the Grinex exchange in just five minutes, using a sophisticated scheme involving decentralized services and fund fragmentation. This was no random breach—it was a premeditated attack, revealing how vulnerable even major platforms can be when basic security practices are ignored.
How the Attack Unfolded: Three Steps to a Billion-Dollar Disappearance
AML platform CoinKit reconstructed the sequence of events. It began with the simultaneous withdrawal of USDT stablecoins from 54 wallets—48 on the TRON network (TRC-20) and 5 on Ethereum (ERC-20). These funds landed almost instantly on two TRON addresses: TQdCoD5XeZwpTkGvECax5URgtnGYSCsErs and TXWExsfktiLjq1dJQg7My2NzqfbUfmgP2D.
Then, attackers did what makes investigations significantly harder: they converted the USDT into TRON’s native cryptocurrency, TRX, via the decentralized protocol SUN.io (part of the SunSwap ecosystem). This is akin to a thief stealing dollars and immediately exchanging them for euros at an unregulated kiosk—leaving no paper trail.
The final step: all TRX were consolidated into a single address—TH9kgjfrKeTNeyXtDKvxCXZ1dVKr7neKVa. This wallet is now under active monitoring by analysts—but recovering the funds without cooperation from law enforcement and blockchain forensic experts is nearly impossible.
Why This Was Not a "Typical" Breach
Typically, hackers act chaotically: grab and run. Here, there was a precise plan:
- Mass withdrawals from dozens of addresses simultaneously—to outrun security systems’ response time.
- Asset-type conversion via a DEX (decentralized exchange)—to obscure transaction tracing.
- Consolidation into a single wallet—for subsequent off-ramping or cash-out.
"This isn’t a routine hack—it’s a coordinated, premeditated operation," emphasized Vitaly Gorbenko, CEO of CoinKit. He noted that the high degree of automation reflects the attackers’ advanced preparation.
Interestingly, Grinex wasn’t the only victim. TokenSpot lost approximately $5,000—and those funds also ended up at the same final address. This suggests the attackers either tested their methodology or deployed the same attack vector across multiple platforms.
Key Facts
- Loss amount: ~1 billion rubles ($14 million), predominantly in USDT.
- Method: fragmentation → DEX-based conversion → consolidation.
- Networks involved: primarily TRON, with partial activity on Ethereum.
- Suspects: no evidence points to state actors; most likely a criminal group.
- Wallet status: already flagged in AML systems; all associated transactions are actively monitored.
What This Means for Everyday Users
If you store cryptocurrency on an exchange—especially a lesser-known or regional one—your assets may be at risk. Even "hot wallets" (those enabling fast withdrawals) require multi-layered protection. Today’s hackers don’t just crack passwords—they deploy complex financial schemes reminiscent of corporate raiding in traditional banking.
The best defense is keeping the majority of your assets off exchanges entirely, in so-called "cold wallets" (hardware devices or offline storage). Choose exchanges that have undergone independent security audits and offer asset insurance.
Finally, incidents like this remind us: the crypto market remains wild and dangerous. That’s precisely why companies like CoinKit and TRM Labs exist—they make it marginally safer by monitoring suspicious flows in real time.
— Editorial Team