The U.S. Federal Trade Commission (FTC) announced on Tuesday, December 16, a proposed settlement with Illusory Systems Inc., the operator of the Nomad cryptocurrency bridge, concerning a massive security breach in August 2022. The exploit resulted in the theft of approximately $186 million in digital assets, leaving consumers with losses exceeding $100 million.
According to the FTC's complaint, a software update implemented by Nomad in June 2022 introduced a critical vulnerability into one of its smart contracts. Hackers began exploiting this flaw on August 1, 2022, draining funds in Ethereum (ETH), USD Coin (USDC), Dai (DAI), and Wrapped Bitcoin (WBTC). The agency alleges that Illusory Systems marketed Nomad as a "security-first" or "safety-focused" platform while failing to follow basic security practices.
The FTC accused the company of inadequate code testing, lacking clear processes for reporting and responding to security incidents, and failing to implement well-known secure coding practices. A key failure highlighted was the company's incident response: during the attack, Nomad had to rely on an engineer who was on a plane to relay code snippets, causing a critical delay that prevented the bridge from being shut down until after it was emptied.
The proposed settlement would bar Illusory Systems from misrepresenting its security practices. It would also require the company to implement a formal information security program, undergo independent security assessments every two years, and return any recovered funds not already repaid to affected users. Following the hack, Nomad managed to recover about $22 million of the stolen $190 million.
In a related development, Israeli authorities earlier this year arrested Alexander Gurevich, accusing him of initiating the Nomad bridge exploit. The FTC's proposed agreement is now open for public comment for 30 days before finalization.
SAUCE
HBAR
THETA
TFUEL
BTC
GEE
AAVE
SOL