FTC Compels Nomad Operator to Repay Users After $186M Crypto Bridge Hack in 2022

In brief The FTC said Illusory Systems’ Nomad crypto bridge lost $186 million after hackers exploited a poorly tested software update. Regulators alleged the company marketed itself as “security-first” while failing to follow basic coding and incident-response practices. A proposed settlement would require Illusory to return recovered funds, overhaul its security program, and undergo ongoing audits. Decrypt’s Art, Fashion, and Entertainment Hub. Discover SCENE The Federal Trade Commission said Tuesday it had reached a proposed settlement with Illusory Systems Inc., the operator of the Nomad cryptocurrency bridge, related to the 2022 hack that drained nearly all of the platform’s funds. Under the proposed settlement, Illusory would be barred from misrepresenting its security practices and required to implement a formal information-security program, submit to independent biennial security assessments, and return any recovered funds not already repaid to affected users. The agency said the exploit resulted in the theft of about $186 million in digital assets, leaving consumers with losses exceeding $100 million. “Because Nomad failed to implement adequate incident response systems, Nomad did not have an effective way to stop the exploit,” the FTC said in an original complaint . “Nomad had to rely on an engineer, who was on a plane, to relay code snippets in a chat back and forth with the incident manager on duty. As a result, Nomad was unable to shut down the bridge until after it had been emptied of assets.”  “The Commission considered the matter and determined that it had reason to believe that Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect,” the FTC wrote in the proposed agreement. “The Commission accepted the executed Consent Agreement and placed it on the public record for a period of 30 days for the receipt and consideration of public comments.” Launched in 2021, Nomad was among a growing number of platforms that enabled users to transfer tokens across multiple blockchain networks, including Ethereum and Avalanche . The FTC said a June 2022 code update introduced a critical vulnerability into one of Nomad’s smart contracts, which hackers began exploiting on August 1, 2022, resulting in the loss of approximately $186 million in Ethereum, USDC , DAI , and WBTC . According to the agency’s complaint, Illusory Systems promoted Nomad as “security-first” while failing to adequately test code, maintain clear vulnerability-reporting and incident-response processes, or deploy basic safeguards that could have limited consumer losses and “failed to implement well-known secure coding practices, such as writing and conducting adequate unit tests prior to pushing code into production.” “While Nomad stressed the importance of thoroughly testing smart contracts in its marketing, in many instances, it did not adequately test smart contracts, as discussed by Nomad engineers before the exploit,” the FTC said. In the days following the hack, Nomad recovered $22 million of the $190 million stolen. Earlier this year, Israeli authorities arrested Alexander Gurevich, accusing him of initiating the Nomad bridge exploit. Police said he was detained at an Israeli airport while trying to flee to Moscow, days after legally changing his name to evade detection. Neither Illusory nor the FTC responded to Decrypt's requests for comment . Daily Debrief Newsletter Start every day with the top news stories right now, plus original features, a podcast, videos and more. Your Email Get it! Get it!