Hacking group Gonjeshke Darande leaked sensitive user data. Israeli authorities have arrested three citizens for spying on Iran. Past nobitex transactions show signs of money laundering activity.
The fallout from the Nobitex hack is expanding beyond the shortage of funds.
The $90 million violation of Iran’s biggest cryptocurrency exchange, held on June 18, is currently linked to a potential spy case involving Israeli and Iranian operatives.
According to blockchain intelligence firm TRM Labs, three Israeli citizens were arrested on June 24 for spying on Iran, and Huck may have played a key role in the exposure.
The suspect, ages 19 to 28, is believed to have been recruited by an Iranian handler and reportedly paid in cryptocurrency.
Their tasks include photography for military sites, tagging Iranian graffiti, tracking high-ranking officials’ movements, and collecting surveillance data.
Israeli authorities argue that some of the crypto transactions linked to the suspects are traceable on-chain and may have been identified using data leaked from nobitex.
Gonjeshke Darande claims liability for violations
The attack on Nobitex was carried out by the Pro-Israeli Hacking Group Gonjeshke Darande.
Known for targeting Iran-related infrastructure, the group was engaged in cyber operations previously thought to serve intelligence purposes.
Following the June 18 violation, Nobitex’s internal systems were compromised, ejecting more than $90 million in digital assets.
The attacker then leaked sensitive data, including details about the potential wallet, knowledge of customer (KYC) records, and internal communications.
This leak was published one day after the hack and suggests a high level of access and adjustment.
While no direct link has been confirmed between the Nobitex violation and the arrest, TRM Labs has indicated that leaked data from the exchange may have helped Israeli authorities identify relevant user data related to cases of crypto payments and spying.
Crypto Payment, On-Chain Tracking, and Evidence
According to TRM Labs, the arrested individuals received thousands of dollars in cryptocurrency in exchange for performing intelligence tasks.
These payments were channelled through an anonymized system, but were ultimately traced using blockchain analysis.
Cryptographic transfers formed a critical part of the evidence used in the investigation.
At the same time, investigators discover a suspicious historic fund and are flowing from nobitex.
These included structured transactions designed to bypass detection, as well as links to wallets previously flagged for illegal activities.
The extent of exchange exposure raised questions about Nobitex’s internal control and compliance practices.
TRM analysis shows that the same infrastructure used by operatives to receive payments may have been exposed during hacking.
This suggests that the outcome of the violation goes beyond economic losses and extends to the territory of national security.
Nobitex faces scrutiny over past transfers
As the investigation into the violations deepens, analysts note that some of Nobitex’s past transactions reveal potential ties to the money laundering scheme.
Funds reportedly are routed through multiple wallets and exchanges, obscuring their origins, with certain patterns consistent with known tactics used by threat actors.
The exchange has not issued a detailed breakdown of losses or leaked data, but the rapid emergence of evidence supporting Israeli arrest suggests that Gonjeshke Darande may have targeted more than a user balance.
This operation may be designed to reveal hidden relationships between Iran-related crypto channels and individuals operating abroad.
The double impact of attacks – financial damage and information exposure – draws new attention to the vulnerability of cryptocurrency exchanges in geopolitical sensitive regions.
Nobitex finds himself at the heart of a web of suspected growth that includes avoiding cybercrime, espionage and sanctions.
