Israeli Cyber Teams May Have Used Nobitex Hack Data to Arrest Iranian Spies

Israeli intelligence agencies may have leveraged data from a recent $90 million cryptocurrency hack on Nobitex, Iran's largest crypto exchange, to track and arrest suspected Iranian operatives. According to blockchain intelligence firm TRM Labs, there is an "analytical possibility" that Israeli cyber teams accessed internal information from Nobitex shortly after it was breached on June 18. This timing is significant because just days later, Israeli authorities announced the arrest of three individuals accused of conducting espionage activities on behalf of Iran.

Two of the suspects were reportedly compensated in cryptocurrency. One of them, a 28-year-old named Dmitri Cohen, is alleged to have received $500 in crypto for each completed task, which included intelligence gathering and online propaganda. The Nobitex breach, claimed by the pro-Israel hacking group Gonjeshke Darande, involved hot wallet drains across multiple networks, resulting in losses exceeding $90 million. While Israeli officials have not publicly linked the arrests to the hack, TRM Labs noted that the events, combined with Gonjeshke Darande’s history of targeting Iranian-linked platforms, suggest a potential overlap between military cyber operations and law enforcement.

TRM Labs emphasized that there is no public proof directly linking Nobitex data to the arrests. However, the pattern matches known tactics used by Israeli cyber defense units and the group that claimed the attack. Nobitex has long been under scrutiny from blockchain analytics firms, which have described it as a key channel in Iran’s sanctioned financial system. It has been linked to entities tied to the IRGC, ransomware operators, and sanctioned Russian exchanges.

The hackers, known by their Farsi name which translates to Predatory Sparrow, claimed responsibility for the breach and published what they say is Nobitex’s core backend code—scripts, infrastructure data, and privacy configurations. This leak effectively dismantles the platform’s security and exposes any remaining user assets to theft. Nobitex has stated that it is working to restore services within five days but noted that ongoing internet restrictions across Iran may delay progress. The exchange also claimed no further funds have been lost since the code dump.

In its latest statement, Nobitex condemned the attack as a hit against ordinary Iranians, saying it “targeted the peace of mind and assets of our fellow citizens under false pretenses.” Following the hack, authorities have reportedly imposed restrictions on local crypto exchanges, limiting their operating hours in a bid to contain fallout. The incident has raised questions about the evolving role of digital assets in intelligence operations and the potential for cyberattacks to be used as tools for espionage.

The use of cryptocurrency in espionage activities is not new, but the scale and sophistication of the Nobitex hack have raised concerns about the potential for similar attacks in the future. The incident has also highlighted the challenges faced by intelligence agencies in tracking and apprehending spies who use digital assets to evade detection. The arrests of the three individuals accused of spying for Iran have been seen as a significant victory for Israeli intelligence, demonstrating the potential for cyberattacks to be used as tools for espionage. However, the incident has also raised questions about the ethical implications of using such methods and the potential for unintended consequences.