After two months of silence: the hacker began to split the 45.9 million TRX stolen from the Grinex exchange
The attacker who controlled the assets stolen from the Grinex crypto exchange has finally emerged from hibernation. After more than two months of complete inactivity, he initiated the process of withdrawing funds from the consolidation address. The ~45.9 million TRX stolen in April were fragmented and sent to a dozen and a half new wallets in less than half an hour. Notably, the address where the funds had been sitting since the attack is now empty.
Timeline of the hack and the lull
As a reminder, on April 15, 2026, hackers emptied Grinex wallets in a matter of minutes, stealing over 1 billion rubles. The exchange acknowledged the incident a day later and described it as a targeted attack by foreign intelligence services on Russia's financial system. However, BitOK analysts disputed this version, viewing the event as an ordinary robbery for profit. The attacker converted the stolen stablecoins into TRX via the decentralized platform SunSwap and consolidated them into a single address.
The wallet TH9kgjfrKeTNeyXtDKvxCXZ1dVKr7neKVa was created on the day of the attack. It remained inactive until June 26: the stolen ~45.9 million TRX (approximately $15 million at the time of the hack) sat there as a single lump sum.
On the evening of June 26, the situation changed. According to data from the TRONSCAN blockchain explorer, the last activity at the address was dated June 26 at 23:31 UTC, with the main withdrawal taking place within about ten minutes. Currently, the wallet balance is less than one cent. Only 0.03 TRX and a few spam tokens, which are automatically sent to thousands of addresses and are unrelated to the incident, remain.
Fragmentation scheme: classic "laundering"
In total, 74 transfers passed through the address: 42 incoming and 32 outgoing. The large incoming transfers occurred in mid-April — this is how the consolidated sum of stolen funds was formed. The outgoing transactions are concentrated in a single June window.
| Transfer Type | Quantity | Activity Period | Purpose |
| Incoming | 42 transfers | Mid-April 2026 | Accumulation of stolen funds |
| Outgoing | 32 transfers | June 26, 2026 (10-minute window) | Withdrawal and fragmentation of assets |
Methodology and likely goals
The withdrawal followed a characteristic pattern. To each recipient address, a test transfer of 100 TRX was sent first, followed by the main amount of approximately 2,880,828 TRX (about $930,000 at the current exchange rate). This scheme allows verifying the route's functionality before moving a large sum.
The funds were distributed to at least 15 fresh addresses, including: TJZndDqSwVRe…, TPu4HZT5qxoPJ…, TVsXv8TMgD4i…, TWoN3hz6QyGD…, TK7w5Rn8m67…
Such a fan-like fragmentation of a consolidated sum usually precedes an attempt at further laundering or cashing out through exchange services. What we are seeing now is the classic first step — breaking the "egg" into many small pieces to complicate tracking.
My comment: A two-month pause is not uncommon for major hacks. Hackers often wait for the wave of attention from analysts and law enforcement to subside. The fact that movement started now may indicate that the attacker either found a safe channel for withdrawal or simply lost patience. In any case, these 15 addresses now require close monitoring — we will likely see further transfers through mixers or to centralized exchanges.