Israel’s $90M Nobitex Exploit Tied to Crypto-Funded Espionage

$90 million vanished from Iran's Nobitex exchange, now, TRM Labs suggests pro-Israel hackers allegedly siphoned funds and possibly seized sensitive data to uncover Iranian spies paid in crypto Days after the hack, three Israeli citizens were arrested for allegedly carrying out espionage activities, such as performing surveillance, propaganda, and intelligence-gathering tasks in exchange for cryptocurrency payments on behalf of Iranian intelligence. Israeli Espionage Case Highlights Use of Crypto for State-Backed Operations In its report, TRM Labs noted "the arrests represent a rare public case of state-sponsored espionage in which operatives were compensated using digital assets." The investigation alleges that each suspect received crypto payouts upon completing specific assignments, with funds delivered via anonymized blockchain channels. One of the accused, Dmitri Cohen, 28, from Haifa, reportedly tracked and photographed members of Prime Minister Benjamin Netanyahu's family. He is accused of spying on Amit Yardeni, Netanyahu's future daughter-in-law, ahead of her wedding. Investigators say Cohen used a dedicated device to maintain encrypted contact with his Iranian handler and received thousands of dollars in crypto, about $500 per task. A second suspect, aged 27 from Tel Aviv, was detained for allegedly photographing military sites, government buildings, and tagging graffiti. Authorities seized several devices from his home during the investigation. A third suspect, aged 19 from the Sharon region, reportedly passed classified information to Iranian contacts. He was allegedly recruited online and maintained prolonged communication with Iranian operatives during recent tensions between the two countries. While Israeli officials have not publicly connected the arrests to any specific cyber incident, TRM Labs suggests the timeline may point to a broader intelligence operation. TRM Labs Flags Possible Intelligence Overlap in Espionage Case Involving Nobitex Hack "Although Israeli authorities have not confirmed any connection between the hack and the arrests, the timing and tactical profile suggest potential intelligence overlaps," TRM Labs noted. The firm noted that Israeli airstrikes occurred on June 13, followed by the hack of Iran-based crypto exchange Nobitex on June 18, and then the arrests on June 24. However, till now, there hasn't been a solid evidence linking Israel to the June 18 cyberattack on Nobitex, Iran's largest cryptocurrency exchange , although a pro-Israel hacking group Predatory Sparrow also know as " Gonjeshke Darande" claimed responsibility for the breach. Additionally, the pro-Israel hacker group Gonjeshke Darande claimed to not only wipe $90 million of the exchange but also released the Iranian exchange's full source code , including server lists, cold wallet scripts, and privacy settings. Notably, the group has previously targeted Iranian infrastructure for intelligence-gathering. TRM Labs suggests the breach could have granted access to KYC records, potentially aiding Israeli cyber units in identifying Iranian handlers or mapping crypto payments to local operatives. Iran's use of cryptocurrency in covert operations is not new. Reports revealed that Iran routinely uses crypto to fund proxies, evade sanctions, and support cyber operations.