Israeli authorities have arrested three individuals suspected of conducting espionage activities on behalf of Iranian intelligence services. The suspects were recruited independently in separate cases and allegedly performed surveillance, propaganda, and intelligence-gathering tasks in exchange for cryptocurrency payments. The arrests represent a rare public case of state-sponsored espionage in which operatives were compensated using digital assets.
Among those arrested is Dmitri Cohen, a 28-year-old resident of Haifa. According to official statements from the Israel Police and the Shin Bet domestic intelligence agency, Cohen conducted surveillance on multiple individuals, including members of Israel Prime Minister Benjamin Netanyahu’s family. He allegedly tracked and photographed Amit Yardeni, Netanyahu’s future daughter-in-law, weeks before her wedding to Avner Netanyahu. Authorities stated that Cohen received thousands of dollars in cryptocurrency for his activities and used a separate mobile device to communicate securely with his Iranian handler.
In a separate case, a 27-year-old Tel Aviv resident was detained on suspicion of photographing Israeli military installations, government officials’ homes, and tagging pro-Iran graffiti throughout the city. Law enforcement seized several electronic devices from his residence, and authorities confirmed that he was also compensated in cryptocurrency for his work.
A third individual, aged 19, from the Sharon region, was reportedly recruited online and passed confidential information to an Iranian agent. While the identity of this suspect remains undisclosed, investigators believe that he maintained prolonged contact with Iranian intelligence during the recent Israel-Iran conflict.
Use of cryptocurrency for espionage activities
Israeli investigators confirmed that at least two of the suspects were paid in cryptocurrency by their Iranian handlers. This operational detail marks a significant development in the evolution of espionage tradecraft, with state actors increasingly leveraging blockchain-based payment mechanisms to obscure financial ties and reduce the risk of exposure. Digital assets can facilitate cross-border compensation without involving traditional banking channels, making them an effective tool for covert operations.
Cryptocurrency payments in these cases appear to have been transferred after specific tasks were completed, such as surveillance missions or graffiti tagging. Investigators reported that funds were delivered using anonymized channels, and in Cohen’s case, included a payment structure of approximately USD 500 per completed task. The precise assets used have not been disclosed publicly, but Israeli authorities confirmed that the payments were traceable on-chain and formed part of the investigative evidence.
Context: Iran’s use of digital assets in foreign operations
This is not the first known instance of Iran using cryptocurrency to support covert operations abroad. According to TRM Labs’ 2023 Illicit Crypto Ecosystem Report, the Iranian government has previously used digital assets to finance regional proxy groups such as the Houthis, evade sanctions, and fund cyber operations. In 2022, Iranian authorities reportedly executed four individuals accused of spying for Israel and receiving compensation in crypto. That same year, South Korean law enforcement arrested two individuals allegedly working for North Korean intelligence. One of the suspects was accused of leaking military secrets in exchange for cryptocurrency payments from a Democratic People’s Republic of Korea (DPRK)-linked contact.
The strategic use of cryptocurrency allows intelligence agencies to fund operatives without relying on formal banking infrastructure. Payments can be executed across borders, accessed from mobile devices, and exchanged into fiat currencies through small over-the-counter brokers in the region.
Potential link to the Nobitex hack
The arrests took place within days of a major cyberattack on Nobitex, Iran’s largest cryptocurrency exchange. On June 18, 2025, the pro-Israel hacking collective Predatory Sparrow (also known as Gonjeshke Darande) claimed responsibility for a breach, in which over USD 90 million in assets were stolen across multiple blockchains. Although Israeli authorities have not confirmed any connection between the hack and the arrests, the timing and tactical profile suggest potential intelligence overlaps.
Predatory Sparrow has a documented history of targeting Iranian regime-linked infrastructure for both disruptive and intelligence-gathering purposes. The sequence of events — Israeli strikes on June 13, the Nobitex breach on June 18, and the arrests announced on June 24 — raises the analytical possibility that Israeli cyber units were using the Nobitex breach to gather internal data. Such data might include wallet ownership, messaging history, or Know Your Customer (KYC) information, to identify Iranian handlers or trace crypto payments to Israeli operatives.
There is no direct evidence publicly linking the Nobitex breach to the ongoing espionage investigations, but the hypothesis is consistent with known tactics used by Israeli cyber defense teams and Predatory Sparrow’s operational record. Nobitex has long been assessed by Western analysts as a platform with connections to Iranian state entities, and its compromise could have yielded valuable intelligence.
Implications for national security and crypto regulation
The arrests mark a growing trend of digital assets being used in unconventional national security contexts. While crypto has long been associated with sanctions evasion and cybercrime, its role in funding espionage presents new challenges for law enforcement and intelligence services.
The Israeli cases highlight the evolving nature of espionage in the digital era. As adversaries embrace decentralized financial tools, governments must adapt investigative and regulatory frameworks to keep pace. Agencies are increasingly relying on blockchain analytics to trace suspicious activity, connect on-chain behavior to real-world identities, and support prosecutions in national security cases.
TRM Labs continues to work closely with law enforcement and intelligence services worldwide, providing data, tools, and expertise to track illicit financial activity on-chain. This includes support for investigations that fall at the intersection of geopolitical conflict, cyber operations, and espionage.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
