Nobitex Cyber Heist
A staggering $90 million has disappeared from Nobitex, Iran’s leading cryptocurrency exchange, raising alarms about a potential cyber heist linked to pro-Israel hackers. Recent analyses by TRM Labs suggest that sensitive data may have been extracted during the breach, potentially revealing identities of Iranian operatives who were compensated using cryptocurrency.
Espionage Allegations
In a remarkable twist, just days after the hack, three citizens of Israel were apprehended on allegations related to espionage, involving surveillance, propaganda efforts, and intelligence-gathering tasks financed through cryptocurrency by Iranian intelligence. TRM Labs pointed out that this case is notable for highlighting state-sponsored espionage where operatives receive payments in digital assets.
The investigation detailed that the alleged spies received cryptocurrency payments upon completing designated tasks, with these transactions being executed through anonymous blockchain channels.
Among those arrested was 28-year-old Dmitri Cohen from Haifa, who is accused of tracking and photographing close associates of Israeli Prime Minister Benjamin Netanyahu, including his future daughter-in-law prior to her wedding. Cohen reportedly used a specialized device to facilitate encrypted communications with his Iranian superior and earned approximately $500 in crypto per completed assignment.
Another suspect, 27, from Tel Aviv, is believed to have documented military installations and government structures, in addition to tagging graffiti, with investigators seizing multiple devices from his residence. A 19-year-old from the Sharon region, the third suspect, has been implicated for providing confidential information to Iranian contacts, having allegedly engaged in sustained communication with Iranian operatives during heightened tensions between Israel and Iran.
Timeline of Events
While Israeli authorities have not directly linked these arrests to any specific cyber incident, TRM Labs speculates that the timeline aligns with a larger intelligence operation. They noted a sequence of events beginning with Israeli airstrikes on June 13, followed by the Nobitex hack on June 18, and the subsequent arrests on June 24.
Claims of Responsibility
Until now, no concrete evidence has substantiated claims connecting Israel to the June 18 cyber assault on Nobitex, despite the pro-Israel hacker faction known as Gonjeshke Darande (Predatory Sparrow) claiming responsibility for the breach. This group not only allegedly drained $90 million from the exchange but also publicized its source code, encompassing server lists, scripts for cold wallets, and various privacy settings. Historically, this group has targeted Iranian systems for intelligence-gathering purposes.
Implications of the Breach
TRM Labs warns that the breach may have allowed access to critical Know Your Customer (KYC) documentation, potentially empowering Israeli cyber units to identify Iranian handlers and trace cryptocurrency transactions tied to local agents. Notably, Iran’s engagement with cryptocurrency for covert operations is not a recent phenomenon, as other reports have indicated that the nation frequently uses digital currencies to finance proxy groups, sidestep sanctions, and bolster cyber initiatives.
This year alone, South Korea apprehended individuals associated with North Korean intelligence for transferring military secrets in exchange for cryptocurrencies, highlighting a growing pattern among nations leveraging digital currencies for espionage purposes.
