TRM Labs, a leading crypto analytics organization, has put forth the theory that the infamous $90 million Nobitex crypto exchange hack may have been utilized by Israeli cyber units for espionage purposes. This possible connection was highlighted in the company’s recent report.
The report drew attention to the arrests of three individuals in Israel, allegedly engaged in espionage activities for Iran, which involved surveillance, propaganda, and intelligence collection. The intriguing aspect of this case is that the alleged operatives were remunerated using digital assets, a rarely seen method of payment in state-sponsored espionage.
“Digital assets enable cross-border transactions without the need for traditional banking systems, which makes them an ideal tool for covert operations,” TRM Labs stated in their report.
One of the suspects, 28-year-old Dmitri Cohen, was purportedly paid $500 in cryptocurrency for each completed task by Iranian intelligence services. TRM Labs pointed out that these arrests occurred shortly after Nobitex, Iran’s largest crypto exchange, was hacked.
Despite no official confirmation of a connection between the hack and the arrests from Israeli authorities, TRM Labs suggests a potential correlation based on the timing and tactical profile.
The Nobitex hack occurred on June 18, where hot wallets across several networks were emptied, resulting in over $90 million in cryptocurrency asset losses. Notably, the pro-Israeli hacker group Gonjeshke Darande claimed responsibility for this cyber attack.
The group has a history of disrupting and collecting intelligence from Iranian-affiliated platforms. According to TRM Labs, the sequence of events, including Israeli strikes, the Nobitex breach, and the arrests, raises the potential that Israeli cyber units may have exploited the Nobitex data for intelligence purposes.
While direct public evidence linking the Nobitex breach to the espionage investigations is lacking, TRM Labs suggests that the theory aligns with known tactics used by Israeli cyber defense teams and Gonjeshke Darande’s operational history.
At the time of the hack, onchain analytics platform Chainalysis identified Nobitex as a critical player in Iran’s sanctioned crypto space, with numerous ties to illicit activities.
“Nobitex’s role goes beyond being a local exchange; it serves as a vital hub within Iran’s heavily sanctioned crypto ecosystem, providing access to global markets for users isolated from traditional finance,” Chainalysis report stated.
Previous onchain investigations have linked Nobitex to nefarious actors, including ransomware operators affiliated with the IRGC and sanctioned Russian crypto exchanges.
