Cryptohack Roundup: US-Sanctioned Grinex Hacked

Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime Cryptohack Roundup: US-Sanctioned Grinex Hacked Also: Updates in KelpDAO, Drift, Hyperbridge Hacks Rashmi Ramesh (rashmiramesh_) • April 23, 2026     Credit Eligible Get Permission Image: Satheesh Sankaran/Shutterstock Every week, ISMG rounds up cybersecurity incidents in digital assets. This week, Grinex hack, a hacker laundered KelpDAO funds, Circle sued over $280 million Drift hack, Rhea Finance and Volo Protocol suffered exploits, update in Hyperbridge hack, sentencing in art scam case, a French home invasion for crypto theft and eth.limo hijack thwarted. See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation Grinex Halts Trading After $15M Crypto Hack Grinex, a Kyrgyzstan-registered crypto exchange that helped power Russia's shadow economy, has stopped withdrawals and trading after a cyberattack. The platform said attackers stole more than 1 billion rubles or about $13 million, though blockchain analysis by Elliptic says the losses may be closer to $15 million. Grinex said the attack was highly coordinated and hinted that state-backed actors could be involved, saying the goal was to disrupt crypto activity linked to Russia. It has given no direct evidence to support this claim. Grinex has become a hub for trading involving the Russian ruble and the A745-pegged cryptocurrency. The cryptocurrency is linked to a Russian firm headed by a sanctioned Moldovan oligarch Ilan Mironovich Shor and backed by sanctioned Russian bank Promsvyazbank. Investigators found that the stolen funds, mainly in USDT, moved across multiple blockchains, including tron and ethereum. The attacker then converted the funds into other cryptocurrencies, likely to avoid having them frozen. A wallet linked to the incident still holds a large amount of funds. Grinex emerged as a successor to Garantex, a platform accused by U.S. authorities of handling illicit transactions and the subject of a May 2025 takedown by a multinational law enforcement operation. The U.S. Department of the Treasury sanctioned Grinex in August 2025 (see: US Sanctions Crypto Exchange Tied to Russian Ransomware). More than two dozen British members of Parliament called on the British government Wednesday to sanction top Krygyz officials for their role in enabling Russian sanctions busting and for allowing Kyrgyzstan to host infrastructure supporting A7A5. KelpDAO Hacker Launders $80M ETH Via Cross-Chain Swaps The attacker behind the $292 million exploit of KelpDAO laundered about $80 million in ethereum, said blockchain analytics firm EmberCN. Onchain data shows the exploiter moved roughly $175 million in ETH off the ethereum network and has since processed around 34,500 ETH through laundering routes. The activity appears to have accelerated after the Arbitrum Security Council froze 30,766 ETH tied to the hack. Investigators suspect links to North Korea's Lazarus Group, which has previously used similar methods to convert stolen crypto. Circle Sued Over Delayed Response to $280M Drift Hack Circle Internet Financial faces a putative class action lawsuit from investors in Drift Protocol who lost money in a $280 million hack on April 1. The lawsuit says Circle failed to act quickly to freeze stolen USDC, even though it had the ability to do so. Lawyers said that Circle could have limited the losses but did not intervene in time. The attacker moved more than $230 million in USDC across blockchains within hours of the breach, making recovery harder. Drift Protocol said the attacker gained access to its system, introduced a harmful asset and removed safeguards that normally limit withdrawals. The team later revealed that the attacker had spent months pretending to be a legitimate trading firm to gain trust before carrying out the hack. Blockchain investigator ZachXBT also criticized Circle, saying the company had a window of several hours to freeze the stolen funds but did not act. The lawsuit says that Circle had frozen wallets in another case just days earlier, suggesting it had both the tools and precedent to respond more quickly. Rhea Finance Exploit Losses Hit $18.4M Rhea Finance said an exploit drained about $18.4 million from its platform. In a post-mortem, the team said the attacker targeted its margin trading feature that lets users borrow and trade at the same time. The hacker created a setup that looked like normal trading activity but moved borrowed funds into fake pools they controlled. In return, the protocol received almost nothing. This left many positions without enough backing, which triggered automatic sell-offs and drained Rhea's reserves. The attacker returned a portion of the stolen assets, and another chunk has been frozen, said Tether CEO Paolo Ardoino. Around $5.6 million is still unaccounted for. Rhea has paused the affected parts of its platform and is working with partners to track the remaining funds. It also plans to compensate users, though it has not shared details yet. $3.5M Volo Protocol Exploit Volo Protocol disclosed a $3.5 million exploit. Within 30 minutes of announcing the breach, Volo said it had frozen approximately $500,000 of the stolen assets. The team has not yet disclosed the vulnerability behind the exploit or identified the attacker. Volo said it intends to absorb the losses rather than pass them on to users. Hyperbridge Hack Losses Jump to $2.5M Hyperbridge raised its estimated losses from a recent hack to about $2.5 million, up from an earlier figure of $237,000. The update reflects a wider impact across several networks, including ethereum, Base, BNB Chain and arbitrum. The attack happened in two steps. The attacker first stole a smaller amount of funds. About an hour later, they exploited a flaw in the system that checks cross-network transactions. This allowed them to create a large number of fake tokens and quickly sell them, draining funds from the platform’s liquidity pools. Hyperbridge said the issue only affected its token transfer system and did not impact native assets on Polkadot or funds moved through other services. The platform has paused its transfer feature until it fixes the issue and completes an external security review. The team said it has traced a portion of the stolen funds and is working with Binance and authorities to recover them. But it warned that recovery could take months and that it plans to compensate users using its own token. Texas Man Gets 23 Years for $20M Crypto Art Scam A U.S. federal court sentenced Robert Dunlap, 55, to 23 years in prison for defrauding nearly 1,000 investors of more than $20 million through a fake cryptocurrency scheme. U.S. District for the Northern District of Illinois Judge LaShonda A. Hunt also ordered him to repay victims. Dunlap promoted a token called Meta-1 Coin, claiming it was backed by billions of dollars in gold and valuable artwork by artists like Pablo Picasso, Vincent van Gogh and Salvador Dalí. He told investors these assets were verified and secure. Prosecutors later proved these claims were false. A Chicago federal jury convicted Dunlap last year on mail fraud charges. Authorities said he used misleading statements and false promises to convince people to invest, leaving many victims with major financial losses. Armed Robbers Invade Home of French Family Two armed men carried out a violent home invasion in Northwest France, extorting around 700,000 euros in cryptocurrency from a family, reported Breton newspaper Le Télégramme. The attackers entered a home occupied by a mother, her two young children and two grandparents. They restrained the three adults and held them on the floor for over three hours while demanding access to the family's digital assets. Under pressure, the mother transferred the funds. The assailants fled after a neighbor intervened, stealing the family's vehicle, which police later recovered abandoned. No arrests have been made so far. eth.limo Hijack Thwarted The gateway eth.limo, which connects ethereum Name Service domains to web content, suffered a brief domain hijack following a social engineering attack on its registrar, EasyDNS. An attacker impersonated a team member and triggered an account recovery process, gaining control and redirecting nameservers. The changes briefly pointed traffic to infrastructure hosted by Cloudflare and later Namecheap before access was restored. The attack raised the risk of redirecting traffic for millions of .eth domains, including pages like ethereum founder Vitalik Buterin's blog, to phishing sites. The attacker lacked cryptographic signing keys and hence the malicious DNS responses was rejected, limiting the incident's impact.