Chainalysis: Grinex shutdown exposes shadow crypto laundering
Chainalysis says Grinex’s suspension revealed a network that laundered fiat-backed stablecoins by rapidly swapping them into TRX on Tron-based platforms to avoid freezes.
On April 17, blockchain analytics firm Chainalysis published a review after sanctioned exchange Grinex suspended operations and posted source and destination addresses. Grinex reported a cyberattack that it said cost about 1 billion rubles, roughly $13.7 million.
Using on-chain data, Chainalysis tracked the transfers and found most of the exfiltrated assets were fiat-backed stablecoins. The firm observed the stablecoins routed through a Tron-based decentralized exchange and converted into TRX within a short time frame.
Chainalysis wrote: “In the case of the alleged Grinex hack, the stablecoin funds were quickly swapped for a non-freezable token, thereby avoiding the risk of having the stablecoins frozen by the issuer.” The analysis added: “This frantic swapping from stablecoins to more decentralized tokens is a hallmark tactic of cybercriminals and illicit actors attempting to launder funds before a centralized freeze can be executed.”
The firm noted that the speed and direction of the swaps did not match patterns common to Western law enforcement seizures, where authorities can request centralized stablecoin issuers to freeze suspicious balances.
Chainalysis linked the Tron-based exchange used in the swaps to liquidity services that previously supported Garantex, a sanctioned platform disrupted by international enforcement. The company described Grinex as a direct successor to Garantex and identified connections to A7A5, a ruble-backed token issued by Old Vector. The analysis said A7A5 served a narrow Russia-linked payments ecosystem and cross-border settlement flows emerging under sanctions pressure.
At the time of publication, the traced funds were concentrated in a single on-chain address, leaving a visible trail for further forensic work. The report noted that Chainalysis labeled the relevant addresses in its products to help customers and investigators spot exposure as funds move downstream.
The analysis described the incident as a disruption inside what it called a “shadow crypto economy,” a network of exchanges, tokens and liquidity services that has continued to move value despite sanctions.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
