Israeli units may have used $90 million Nobitex exploit to gather internal data, says TRM Labs

Crypto analytics platform TRM Labs raised the possibility that Israel's cyber units gathered internal data from the $90 million hack on crypto exchange Nobitex to catch Iranian operatives.In its latest report, TRM Labs cited a recent arrest of three individuals in Israel suspected of conducting espionage activities for Iran, performing surveillance, propaganda, and intelligence-gathering tasks. Two of the suspects were paid in cryptocurrencies."The arrests represent a rare public case of state-sponsored espionage in which operatives were compensated using digital assets," TRM Labs said. "Digital assets can facilitate cross-border compensation without involving traditional banking channels, making them an effective tool for covert operations."In the case of 28-year-old suspect Dmitri Cohen, the Iranian intelligence services paid $500 worth of crypto per completed task. TRM Labs noted that the arrests took place just days after Iran's largest cryptocurrency exchange, Nobitex, was hacked. "Although Israeli authorities have not confirmed any connection between the hack and the arrests, the timing and tactical profile suggest potential intelligence overlaps," the report said.The attack on Nobitex took place on June 18, where its hot wallets on multiple networks were drained, resulting in losses of over $90 million worth of crypto assets. Soon after the attack, pro-Israel hacker group Gonjeshke Darande claimed it had initiated the cyberattack.Gonjeshke Darande has been active for many years, disrupting and gathering intelligence from platforms affiliated with the Iranian regime.TRM Labs said the sequence of events — Israeli strikes on June 13, the Nobitex breach on June 18, and the arrests announced on June 24 — raises the "analytical possibility" that cyber units in Israel utilized the internal data from Nobitex, such as wallet data or private messaging history."There is no direct evidence publicly linking the Nobitex breach to the ongoing espionage investigations, but the hypothesis is consistent with known tactics used by Israeli cyber defense teams and [Gonjeshke Darande's] operational record," TRM Labs said.Around the time of the hack, onchain analytics platform Chainalysis stated that Nobitex plays an essential role in the country's sanctioned crypto space, with multiple ties to illicit activities."Nobitex isn’t just a local exchange; it serves as a critical hub within Iran’s heavily sanctioned crypto ecosystem, enabling access to global markets for users cut off from traditional finance," Chainalysis wrote.Chainalysis added that past onchain investigations have linked Nobitex to illicit actors, including IRGC-affiliated ransomware operators and sanctioned Russian crypto exchanges. Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.