Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Approximately 1 billion rubles withdrawn from Grinex exchange in five minutes — CoinKit, 2026/04/18 13:39:39
Experts from the Russian analytical platform CoinKit have examined the hack of the cryptocurrency exchange Grinex, which resulted in the platform losing over 1 billion rubles.
Analysts estimate that the attack was premeditated, with withdrawals occurring simultaneously from multiple wallets. In total, funds were withdrawn from 54 exchange wallets within five minutes, primarily on the TRON network, with some on Ethereum. The rapidity of these transactions suggests the use of automated tools.
According to the analysis, the scheme involved several stages. Initially, funds in USDT stablecoins from 54 addresses were directed to two intermediary wallets on the TRON network: TQdCoD5XeZwpTkGvECax5URgtnGYSCsErs and TXWExsfktiLjq1dJQg7My2NzqfbUfmgP2D.
Subsequently, the assets were converted to TRX via the decentralized protocol SUN.io, complicating the tracking of the transactions. In the final stage, the funds were consolidated and transferred to a single accumulation address TH9kgjfrKeTNeyXtDKvxCXZ1dVKr7neKVa.
The distribution across networks was as follows: 48 addresses on the TRON network (TRC-20) and five on the Ethereum network (ERC-20). The largest single address, TG6qzN53Wgeqz4eKa8HNGSG9zraDUhD4mu, held nearly 6.86 million USDT, accounting for over half of the total amount stolen.
Related Posts
Analysts believe that this method of fragmenting funds, followed by conversion through decentralized services and final consolidation, is characteristic of significant hacks in recent years. It does not require complex external resources but necessitates careful preparation and an understanding of the architecture of hot wallets.
“This is not an ordinary hack but a complex, pre-planned attack. The perpetrators withdrew approximately $14 million in five minutes from 54 wallets, indicating preparation and automation. We have already tagged the wallets of the attackers. They will now always be monitored—every transaction will be visible. Unless, of course, the goal was to steal money rather than harm Russian users,” stated CoinKit CEO Vitaly Gorbenko.
The final address to which the funds were transferred has already been identified and is also under surveillance. Any further transactions from it will be tracked using on-chain analytics, experts reported.
Specialists from the blockchain security firm TRM Labs noted that, in addition to Grinex, the TokenSpot service was also affected. Approximately $5,000 was withdrawn from it, which was sent to the same address where the assets related to the attack on Grinex were accumulated.
According to TRM Labs, the attackers operated according to a pre-established scheme: they transferred funds to USDT and then converted them to TRX via the decentralized platform SunSwap, which allowed them to change the asset type and complicate potential blocking.
Earlier, analysts from the BitOK platform stated that the attack on Grinex shows no signs of being linked to foreign intelligence operations and resembles a classic theft of funds.
