What is Global Ledger?

Global Ledger is a Swiss blockchain analytics company delivering fast, end-to-end AML compliance and investigation tools. Founded in 2019, we support over 2,000 digital assets and manage a database of over 700 million attributed addresses, updated daily. We perform 250,000 AML checks and monitor 30 million wallets every day. With an average response time of just 500ms and private server deployment options, Global Ledger combines speed, scale, and security.

Which blockchains does Global Ledger analyse?

Currently, the following blockchains are supported: Bitcoin (BTC) Bitcoin Satoshi Vision (BSV) Litecoin (LTC) Ethereum (ETH), including top tokens Tron (TRX), including top tokens Binance Coin (BNB) Polygon (MATIC) Arbitrum (ARB) Base (ETH) Avalanche (AVAX) Moonbeam (GLMR) Polkadot (DOT) Solana (SOL) TON.

How is the GL Score calculated?

The GL Score is a number from 0 to 100 that shows the degree of risk: low, medium, and high. Each score is represented by a corresponding color: green indicates low risk, yellow indicates medium risk, and red — high risk. The risk score is derived from the assessment of the riskiness of sources contributing to a requested address or transaction. To calculate the score, the algorithm analyzes incoming transactions, assesses the risk of identified sources, and calculates a score on a scale from 0 to 100. This score provides an indication of the potential level of risk associated with the address or transaction based on the evaluated sources and their associated activities. Learn more about risk score calculation from our blog article.

What are your data sources?

The Global Ledger team regularly collects and constantly analyses publicly available information, open data from the top blockchains, replenishes the internal information base by conducting its own investigations, as well as data purchased from reliable vendors.

What if I need help ASAP?

Our support team stays in touch 24/7 to provide clients with the most comfortable service and experience in case of unexpected hacks or cyberattacks. Please send your request with a brief description of your case to contact@globalledger.io, and our manager will reach you shortly.

Arbitrum Freezes $71M, Grinex Halts Trading: What It Means for VASPs

Arbitrum froze over $71M in ETH linked to the Kelp exploit — a rare move at this scale in DeFi. At the same time, sanctioned Russian exchange Grinex halted trading after a hack, blaming “foreign intelligence services.”

On the surface, these look like security incidents. In practice, they’re case studies in how crypto crime moves, how enforcement is evolving, and where exposure quietly builds up.

Let’s break them down.

The Kelp Hack and the Arbitrum Freeze: What Actually Happened

On April 20, Arbitrum froze ETH worth about $71.2 million linked to the KelpDAO exploit. The move made headlines. But the freeze is just the entry point. To understand what this means for compliance teams, you have to start two days earlier.

KelpDAO hack

On April 18, 2026, attackers drained approximately 116,500 rsETH — worth around $292 million — from KelpDAO.

The LayerZero Kelp exploit targeted the cross-chain messaging layer, triggering the release of ~116,500 rsETH, which was about 18% of total supply. Hackers used the stolen rsETH as collateral across multiple platforms to borrow $236 million.

The precision of the attack was striking. According to our data, the first transaction occurred just 1 minute and 48 seconds after the exploit. The final move into the hacker's aggregation wallet followed 1 hour, 58 minutes, and 51 seconds later.

The stolen funds split across three chains:

75,700 ETH (~$174.73M) — Ethereum
30,766 ETH (~$71M) — Arbitrum
124.34 AVAX (~$1,142) — Avalanche

KelpDAO hack illustration. Source: Global Ledger

Two days later: Arbitrum steps in

The Arbitrum Kelp exploit response came on April 20, when the Security Council moved 30,766 ETH (over $71 million) into a governance-controlled frozen wallet. Any further movement now requires a formal governance vote.

The Council acted in coordination with law enforcement and explicitly limited the freeze to stolen funds, without impacting other users or the broader chain state.

The freeze, however, didn't stop the attacker. Roughly four hours after the Arbitrum freeze, the hacker began moving the remaining funds on Ethereum. At the time of the publication, the money went to three hackers addresses, which have started splitting and laundering the funds:

25,000.0000 ETH (57,880,797.64 USD) to 0xf98…10b85
50,700.0000 ETH (117,382,257.61 USD) to 0xabc…65b8
0.76818718 ETH (1,778.53 USD) to 0xabc…a65b8

KelpDAO exploit, hackers addresses. Source: Global Ledger

KelpDAO hackers & the Bybit hack

Global Ledger's on-chain tracing then identified that the KelpDAO hacker's wallet infrastructure overlaps with wallets used in the Bybit hack laundering — the ~$1.4 billion exploit widely attributed to North Korean attackers.

Specifically, we have traced the funds that were sent to Bitcoin network via THORChain: 16.13150026 ETH ($37,461.56 USD) was swapped into 0.48699566 BTC ($37,270.76) and sent to a wallet used in the Bybit hack laundering.

KelpDAO hackers linked to Bybit hack. Source: Global Ledger

DPRK-linked groups are known to reuse self-hosted wallet infrastructure across different attacks — a pattern consistent with pre-planned, coordinated operations rather than an individual case. In 2025 across 255 incidents, DPRK-linked hackers were responsible for $1.89 billion in stolen assets (~46.8% of total losses).

The BtcTurk ~$48 million hack is one of the examples of how DPRK-linked groups operate in their laundering tactics. The hack involved funds moving through several services including unhosted wallets, CoinJoin, Wasabi Wallet, THORChain, Chainflip, and the Lightning Network.

Review how funds moved in the Global Ledger tracing tool.

Check Case Online

Why this matters

The Arbitrum freeze is a new precedent. Even after the Bybit hack, a network-level intervention was discussed but never executed. This time it happened — and it changes what "decentralized" means for enforcement.
DPRK-linked hacks are a system, not isolated incidents. If funds connect to North Korean actors, any downstream interaction with those assets creates sanctions exposure — even an indirect one.
Speed is still the gap. $292M moved across three chains in under 2 hours. According to Global Ledger research, in ~76% of 2025 hacks — 195 out of 255 cases — funds moved before the industry could even publicly report the incident.

How Global Ledger can support

When $292 million moves in two hours and laundering starts before most teams have read the news, the response window is measured in minutes, — not days.

With the Global Ledger KYT platform, you can:

Get visibility across all major blockchains — Bitcoin, Ethereum, Tron, Solana, and more — covering 98% of total market cap in one place.
Monitor transactions continuously and receive real-time alerts on suspicious behavior in under a second.
Catch risks faster with AI-powered prioritization and smart filters for focused, high-signal response.
Visualize full transaction flows and surface hidden wallet links using clustering algorithms that combine behavioral patterns, smart contract interactions, and fund origin analysis.

      In practice, this means compliance teams can identify exposure earlier, act before funds are fully laundered, and reduce regulatory risk without relying on delayed alerts or manual investigation.
    

Part of the Global Ledger’s KYT tool interface

See how Global Ledger's KYT solution
works for your compliance needs

Schedule a Demo

The Kelp hack shows how fast on-chain enforcement can move and how quickly stolen funds can disappear across chains before anyone reacts. The next case shows a different kind of exposure: one that built up over months, sitting in plain sight inside a sanctioned exchange.

Sanctioned Russian Exchange Grinex Halted Trading After $19M Hack

On April 16, 2026, Grinex — a Russian crypto exchange operating under OFAC sanctions since August 2025 — announced it was halting all trading activity following a cyberattack.

The exchange claimed losses of approximately 1 billion Russian rubles (~$13.1 million) and attributed the Grinex hack to "foreign intelligence services". However, Global Ledger found no on-chain evidence supporting that attribution.

Our data shows that about $19.38 million was stolen from Grinex. The attack simultaneously drained both operational customer deposit wallets on the TRON network — meaning client funds were directly at risk, not just exchange reserves.

Three asset types were stolen in the same operation:

A7A5 — a ruble-pegged A7A5 stablecoin tied to sanctioned Russian financial networks
USDT — swapped to TRX via SunSwap DEX and consolidated
TRX — consolidated in self-hosted wallets:
- TXK2U… holds 352,791,567 A7A5 (~$4.42 million)
- TH9kgj… holds 46,093,251 TRX (~$14.96 million)

The hack is significant. But the bigger compliance story is what the on-chain record of Grinex shows about the months leading up to it. From its launch over a year ago till the suspension, Grinex — a Garantex-linked exchange that emerged directly after the Garantex takedown — processed $16.54 billion worth of USDT and A7A5:

$7.29 billion before OFAC sanctions (March 6 – August 14, 2025)
$9.25 billion after sanctions (Aug 15, 2025 – April 15, 2026)

Grinex hacked for over $19M. Source: Global Ledger

Grinex processed more sanctioned-era volume than pre-sanction volume. Activity declined after designation, but it never stopped, and the exchange continued to rely on top-tier licensed exchanges for its flows. Over the past two years, licensed entities processed approximately $13 billion in sanctioned funds, including Russian-origin flows.

      It's the result of a deliberately built infrastructure connecting crypto mining, the A7A5 stablecoin, and regulated exchanges, — designed to keep illicit Russia A7A5 flows moving through the system. 
    

How Russian sanction-linked flows reached top CEXs

Read the report on how Russia moved illicit liquidity through the crypto ecosystem between 2022 and 2025 — including flows tied to crypto sanctions and broader Russian sanctions activity.

Get the Report

Why this matters

Exposure starts before sanctions and continues after. Grinex processed $9.25 billion after its OFAC designation, more than it did before. Flows don't stop when a designation is issued. If your institution or counterparties ‘touched’ this network at any point, the exposure may already be there.
Strict liability still applies. Under OFAC rules, processing sanctioned funds unknowingly is not a defense but a potential violation.
A7A5 poses a risk. The token is structurally tied to sanctioned Russian financial infrastructure and was specifically designed to move ruble liquidity around restrictions. Any interaction with A7A5 flows warrants enhanced due diligence, regardless of how many hops away it sits.

How Global Ledger can support

Grinex-type exposure doesn't always show up in direct transactions. It can sit two, three, or five hops away. For regulators, the depth doesn't reduce the risk. That's why understanding your full counterparty picture matters as much as monitoring individual transactions.

With the Global Ledger platform, you can:

Get full visibility into direct and indirect exposure across all counterparties — before it becomes a compliance issue.
Get the source and use of funds to uncover links to sanctions, mixers, or high-risk services deep in the transaction chain.
View all counterparties involved in the entity’s transactions with their respective risk ratings and exposure volumes.

      A detailed entity exposure report gives compliance teams a complete view of where risk actually sits. It helps uncover hidden exposure across counterparties and address it before it escalates into a regulatory issue. 
    

Entity Exposure report. Source: Global Ledger’s KYB solution

Request a free report to check
for exposure to sanctioned entities

Request Demo Report

FAQ

What does it mean to bridge Arbitrum funds after a freeze?

After the Arbitrum Kelp exploit freeze, stolen ETH moved into a governance-controlled wallet. To bridge Arbitrum funds out, a formal governance vote must complete first — making the freeze a coordinated enforcement structure, not just a technical block.

What is the A7A5 stablecoin and why does it matter for compliance?

The A7A5 stablecoin is a ruble-pegged token used as a core instrument in stablecoin sanctions evasion schemes — replacing frozen USDT after the Garantex takedown and routing illicit Russia A7A5 flows through licensed exchanges.

What does the Grinex hack mean for sanctions compliance?

Designation doesn't stop flows. Grinex processed $9.25B after OFAC sanctions routing funds through licensed platforms. Under strict liability, exchanges that “touched” Grinex-linked flows, even unknowingly, may carry exposure.

What are the key Russian crypto exchange compliance risks?

The main risk is hidden exposure to sanctioned liquidity moving through layered infrastructure. The A7A5 token is a clear case of stablecoin sanctions evasion explained: a ruble-pegged asset used to route funds through licensed platforms under the cover of normal trading. These flows often look routine, but any link to sanctioned entities still creates compliance risk — regardless of intent.