The recent disappearance of $90 million from Iran’s Nobitex exchange has sparked a wave of intrigue and suspicion, with new developments suggesting a complex web of espionage and cyber warfare. According to TRM Labs, a leading blockchain intelligence firm, pro-Israel hackers may have been behind the siphoning of funds and the possible acquisition of sensitive information to uncover Iranian spies who were compensated in cryptocurrency for their clandestine activities.
Following the hack, three Israeli citizens were apprehended for their alleged involvement in espionage activities on behalf of Iranian intelligence. These activities included surveillance, propaganda dissemination, and intelligence-gathering tasks, all of which were reportedly compensated with cryptocurrency payments. TRM Labs highlighted the rarity of a public case involving state-sponsored espionage with operatives being remunerated using digital assets.
The investigation revealed that each suspect received crypto payouts upon completing specific assignments, with the funds being delivered through anonymized blockchain channels. One of the accused individuals, Dmitri Cohen, is said to have tracked and photographed members of Prime Minister Benjamin Netanyahu’s family, including Netanyahu’s future daughter-in-law, Amit Yardeni. Cohen allegedly maintained encrypted communication with his Iranian handler using a dedicated device and received around $500 per task.
Another suspect, a 27-year-old from Tel Aviv, was detained for photographing military sites, government buildings, and tagging graffiti. Authorities seized multiple devices from his residence during the investigation. A third suspect, a 19-year-old from the Sharon region, reportedly passed classified information to Iranian contacts after being recruited online.
While Israeli officials have not explicitly linked the arrests to any specific cyber incident, TRM Labs suggested a potential connection between the espionage case and the hack of Nobitex, Iran’s largest cryptocurrency exchange. The timing of Israeli airstrikes, the Nobitex hack, and the subsequent arrests raised suspicions of intelligence overlaps. Although no concrete evidence has been presented linking Israel to the cyberattack on Nobitex, a pro-Israel hacking group known as Predatory Sparrow claimed responsibility for the breach.
The release of Nobitex’s complete source code by the hackers raised concerns about the potential exposure of sensitive information, including KYC records. TRM Labs speculated that the breach could have provided valuable data to Israeli cyber units for identifying Iranian operatives and tracing crypto payments to local collaborators. Iran’s use of cryptocurrency in covert operations is not new, as the country has been known to utilize digital assets to fund proxies, evade sanctions, and support cyber activities.
Similar instances of state-backed cryptocurrency operations have been observed in other countries, such as Russia and North Korea. In 2024, Russia and Iran reportedly turned to cryptocurrency to bypass Western sanctions, leveraging decentralized finance (DeFi) platforms and no-KYC exchanges for financial operations. South Korea also arrested individuals linked to North Korean intelligence for passing military secrets in exchange for crypto.
The intricacies of the Nobitex exploit and the subsequent arrests underscore the evolving landscape of cyber warfare and espionage in the digital age. As governments and intelligence agencies increasingly turn to cryptocurrency for clandestine operations, the need for robust cybersecurity measures and vigilant oversight becomes more critical than ever.