Inside the $90M Nobitex hack: a layer-by-layer breakdown – CoinJournal
- Hacking group Gonjeshke Darande leaked sensitive user data.
- Israeli authorities arrested three citizens for spying for Iran.
- Past Nobitex transactions show signs of money laundering activity.
The fallout from the Nobitex hack is expanding beyond missing funds.
The $90 million breach of Iran’s largest cryptocurrency exchange, which took place on 18 June, has now been linked to a potential espionage case involving Israeli and Iranian operatives.
According to blockchain intelligence firm TRM Labs, three Israeli citizens were arrested on 24 June for allegedly spying for Iran, and the hack may have played a key role in their exposure.
The suspects, aged between 19 and 28, are believed to have been recruited by Iranian handlers and were reportedly paid in cryptocurrency.
Their tasks included photographing military sites, tagging pro-Iranian graffiti, tracking the movements of senior officials, and gathering surveillance data.
Israeli authorities claim that some of the crypto transactions linked to the suspects were traceable on-chain and may have been identified using data leaked from Nobitex.
Gonjeshke Darande claims responsibility for breach
The attack on Nobitex was carried out by the pro-Israeli hacking group Gonjeshke Darande, also known as Predatory Sparrow.
The group, known for targeting Iranian-linked infrastructure, has previously engaged in cyber operations believed to serve intelligence purposes.
Following the June 18 breach, Nobitex’s internal systems were compromised, and over $90 million in digital assets were drained.
The attackers subsequently leaked sensitive data, including potential wallet details, Know Your Customer (KYC) records, and internal communications.
This leak was published just one day after the hack, suggesting a high level of access and coordination.
Although there is no confirmed direct link between the Nobitex breach and the arrests, TRM Labs indicated that leaked data from the exchange may have assisted Israeli authorities in identifying crypto payments and associated user data linked to the espionage case.
Crypto payments, on-chain tracking, and evidence
According to TRM Labs, the arrested individuals received thousands of dollars in cryptocurrency in exchange for carrying out intelligence tasks.
These payments were channelled through anonymised systems but eventually traced using blockchain analysis.
The crypto transfers formed a crucial part of the evidence used in the investigation.
At the same time, investigators uncovered suspicious historical fund flows from Nobitex.
These included structured transactions designed to bypass detection and linkages to wallets previously flagged for illicit activity.
The extent of the exchange’s exposure has raised questions about Nobitex’s internal controls and compliance practices.
The TRM analysis indicates that the same infrastructure used by operatives to receive payments may have been exposed during the hack.
This suggests that the breach’s consequences go beyond financial loss and extend into national security territory.
Nobitex faces scrutiny over past transfers
As investigations into the breach deepen, analysts have noted that some of Nobitex’s past transactions reveal potential ties to money laundering schemes.
Funds were reportedly routed through multiple wallets and exchanges to obscure their origin, with certain patterns matching known tactics used by threat actors.
While the exchange has not issued a detailed breakdown of the losses or the leaked data, the rapid emergence of evidence supporting the Israeli arrests suggests that Gonjeshke Darande may have targeted more than just user balances.
The operation could have been designed to expose hidden relationships between Iranian state-linked crypto channels and individuals operating abroad.
The dual impact of the attack — financial damage and intelligence exposure — is drawing renewed attention to the vulnerability of cryptocurrency exchanges in geopolitically sensitive regions.
Nobitex now finds itself at the centre of a growing web of suspicion involving cybercrime, espionage, and sanctions evasion.
Source link
