More than 1 billion rubles — roughly $13 million by the platform's accounting, and closer to $15 million according to blockchain analytics firm Elliptic — were taken in a single, highly coordinated attack that forced the Kyrgyzstan-registered exchange Grinex to halt withdrawals and trading.
Grinex halts trading after coordinated theft
Grinex announced that attackers stole more than 1 billion rubles, a figure the company tied to an effort "to disrupt crypto activity linked to Russia." Elliptic's blockchain analysis put the loss nearer to $15 million. Investigators reported the bulk of the theft was in USDT and that the stolen funds moved across multiple blockchains, including Tron and Ethereum, before being converted into other cryptocurrencies — a standard laundering technique intended to make freezing or recovery harder.
The exchange has described the intrusion as "highly coordinated" and hinted at possible state-backed involvement but supplied no direct evidence to support that attribution. Grinex is linked in the reporting to an A745-pegged cryptocurrency backed by a Russian firm headed by Ilan Mironovich Shor and to sanctioned Russian bank Promsvyazbank. The U.S. Department of the Treasury had sanctioned Grinex in August 2025. Grinex is also portrayed in the record as a successor to Garantex, the subject of a May 2025 multinational takedown.
KelpDAO laundering: EmberCN traces $80M of ETH
Blockchain analytics firm EmberCN said the exploiter behind the $292 million KelpDAO breach laundered about $80 million in ether. Onchain data cited in the report shows roughly $175 million in ETH was moved off the Ethereum network, and that around 34,500 ETH has been processed through laundering routes.
The laundering accelerated after the Arbitrum Security Council froze 30,766 ETH tied to the hack, the reporting says. Investigators suspect the actor may be linked to North Korea's Lazarus Group, citing similarity to methods the group has used before; the article characterizes that connection as suspicion rather than a confirmed attribution.
Circle sued after $280M Drift exploit
Investors in Drift Protocol filed a putative class action claiming Circle Internet Financial delayed acting to freeze stolen USDC during a $280 million hack on April 1. Plaintiffs allege Circle could have limited losses but "did not intervene in time," and point to onchain movement of more than $230 million in USDC across blockchains within hours of the breach.
Drift said the attacker had gained access, introduced a harmful asset, and removed safeguards that normally limit withdrawals; the project later said the attacker had spent months posing as a legitimate trading firm to build trust before executing the exploit. Blockchain investigator ZachXBT criticized Circle for missing a window of several hours when intervention might have been possible. The lawsuit notes that Circle froze wallets in another matter days earlier, arguing precedent and capability for faster action.
Rhea Finance, Volo Protocol and Hyperbridge: a cluster of DeFi intrusions
Rhea Finance said an attacker exploited its margin trading feature and drained about $18.4 million by moving borrowed funds into fake pools the attacker controlled; the attacker returned some funds, roughly $5.6 million remains unaccounted for, and Tether CEO Paolo Ardoino said a portion has been frozen. Rhea paused the affected components and plans to compensate users, though compensation details were not released.
Volo Protocol disclosed a $3.5 million exploit, quickly freezing about $500,000 of the stolen assets within 30 minutes of the announcement. Volo has not yet detailed the vulnerability and said it plans to absorb losses rather than pass them to users.
Hyperbridge revised its estimated losses up to about $2.5 million from an initial $237,000 after an attacker first stole a smaller sum and, an hour later, exploited a cross-network transaction check to mint large numbers of fake tokens and sell them into liquidity pools. Hyperbridge said the problem only affected its token transfer system, paused transfers, and is working with Binance and authorities to trace and recover funds while planning compensation using its own token.
What this means for technologists, policymakers, and exchanges
- Technologists and security teams: multiple incidents underline how quickly funds can traverse Tron, Ethereum, Base, BNB Chain, and Arbitrum; several responses included freezing wallets, pausing transfer features, and external security reviews.
- Policymakers and enforcement: the Grinex case intersected with sanctions policy — the exchange had been sanctioned by the U.S. Treasury in August 2025, and more than two dozen British MPs urged UK action against Kyrgyz officials for alleged facilitation of sanctions-busting.
- Exchanges and protocols: the series of breaches shows operators using freezes, asset conversion tracking, coordination with centralized platforms like Binance, and, in some cases, plans to compensate users from protocol reserves or tokens.
Sentencing, violent theft, and a thwarted domain hijack
Separate from the market intrusions, a U.S. federal court sentenced Robert Dunlap to 23 years in prison for defrauding nearly 1,000 investors of more than $20 million with a fake token called Meta-1 Coin; U.S. District Judge LaShonda A. Hunt ordered repayment to victims after a Chicago jury convicted Dunlap of mail fraud.
In northwest France, two armed intruders extorted about 700,000 euros in cryptocurrency from a family, holding adults on the floor for more than three hours as they demanded access to digital assets; no arrests were reported at the time of the article. And eth.limo, a gateway connecting Ethereum Name Service domains to web content, suffered a brief domain hijack after a social engineering attack on registrar EasyDNS. The attacker redirected nameservers to infrastructure at Cloudflare and later Namecheap, but lacking cryptographic signing keys, the malicious DNS responses were rejected and the incident was limited.
Across these reports, the common threads are speed, cross-chain movement, and a mix of technological and human factors — from technical flaws enabling fake-token creation to social engineering of registrars. Recovery efforts are under way in multiple cases, but several incidents leave substantial sums frozen, returned only partially, or unaccounted for. The record leaves open how long investigations and recovery will take and which legal or operational remedies will be decisive.
Source: Cryptohack Roundup: US-Sanctioned Grinex Hacked — GovInfoSecurity
