The Federal Trade Commission announced Tuesday it reached a proposed settlement with Illusory Systems Inc., operator of the Nomad cryptocurrency bridge, over a 2022 hack that drained $186 million from the platform.
The settlement requires the company to return recovered funds, overhaul its security program, and undergo biennial audits after regulators found it marketed itself as “security-first” while failing to follow basic coding practices.
The August 1, 2022, exploit resulted in losses exceeding $100 million for consumers, despite some fund recoveries. According to the FTC’s complaint, a June 2022 code update introduced a critical vulnerability into one of Nomad’s smart contracts that hackers exploited weeks later, draining assets including ETH, USDC, DAI, and WBTC across multiple blockchain networks.
“Because Nomad failed to implement adequate incident response systems, Nomad did not have an effective way to stop the exploit,” the FTC stated in its original complaint. “Nomad had to rely on an engineer, who was on a plane, to relay code snippets in a chat back and forth with the incident manager on duty.
As a result, Nomad was unable to shut down the bridge until after it had been emptied of assets.”
Regulators allege Illusory Systems promoted Nomad as “security-first” while failing to adequately test code, maintain clear vulnerability-reporting processes, or deploy basic safeguards that could have limited consumer losses. The company “failed to implement well-known secure coding practices, such as writing and conducting adequate unit tests prior to pushing code into production,” according to the FTC.
The disconnect between marketing claims and actual practices forms the core of the FTC’s case. “While Nomad stressed the importance of thoroughly testing smart contracts in its marketing, in many instances, it did not adequately test smart contracts, as discussed by Nomad engineers before the exploit,” the agency said.
That gap matters because bridge platforms handle billions in cross-chain transfers. Users trusted Nomad based on security promises that the company apparently didn’t fulfill internally. The June 2022 code update that introduced the vulnerability should have undergone rigorous testing before deployment to production systems managing nearly $200 million in user assets.
FTC-Forces-Nomad-Bridge-Operator-to-Repay-186M-After-Hack-Exposed-Security-Failures-
When hackers began exploiting the vulnerability, the company had no effective emergency shutdown mechanism. Instead, incident managers had to wait for an engineer who happened to be traveling to relay code snippets through chat messages from 30,000 feet.
By the time the bridge finally shut down, hackers had emptied it completely. Proper incident response systems would have included automated circuit breakers, multiple on-call engineers with full system access, and clear escalation procedures. Nomad apparently had none of these, despite operating a platform responsible for securing nine figures in user assets.
By mid-2022, bridge exploits were rampant. Other platforms had demonstrated successful incident responses by shutting down operations quickly when suspicious activity appeared. Nomad couldn’t, because it never built those systems.
Settlement Terms
Under the proposed agreement, Illusory Systems must return any recovered funds not already repaid to affected users. The company will also be barred from misrepresenting its security practices and required to implement a formal information-security program with independent biennial security assessments.
The settlement doesn’t include monetary penalties beyond repaying victims, which is typical for FTC cases where companies face insolvency risks. Forcing Illusory to pay large fines might prevent any user repayment, so regulators focused on returning stolen funds and preventing future incidents.
“The Commission considered the matter and determined that it had reason to believe that Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect,” the FTC wrote. The proposed agreement entered a 30-day public comment period starting Tuesday, during which affected users and industry stakeholders can submit feedback before the settlement becomes final.
Nomad recovered approximately $22 million in the days following the hack, representing about 12% of the $186 million stolen. That recovery rate is relatively high for crypto exploits, where stolen funds typically vanish through mixers and privacy chains within hours. The $22 million likely came from white-hat hackers who exploited the vulnerability to secure funds before malicious actors could drain them, then returned the assets.
See also: CZ-Backed Opinion Claims 40% Market Share as Prediction Platform Hits $1.5B Weekly Volume
In May 2025, Israeli authorities arrested Alexander Gurevich at Ben-Gurion Airport while he attempted to flee to Moscow. Police said Gurevich was the first person to exploit the Nomad bridge vulnerability, personally stealing $2.89 million before others discovered the flaw and began draining remaining funds.
Gurevich had legally changed his name to “Alexander Block” days before his arrest, apparently hoping the new identity would help him evade detection. Israeli police caught him anyway, acting on intelligence about his travel plans and new identity. He was detained just before boarding a flight that would have taken him beyond extradition reach.
Authorities claim Gurevich initiated the exploit that others quickly copied once they saw the vulnerability in action. Within hours of his initial theft, dozens of other addresses began executing identical transactions, turning what might have been a contained $3 million loss into a catastrophic $186 million drain.
After stealing the funds, Gurevich allegedly demanded a $500,000 bounty from Nomad in exchange for returning the assets and disclosing the vulnerability. He eventually returned $162,000, keeping the rest. His arrest provides at least one concrete consequence for the hack, though recovering the full $186 million remains unlikely.
Nomad launched in 2021 as one of many platforms enabling token transfers across multiple blockchain networks, including Ethereum and Avalanche. Cross-chain bridges became critical infrastructure as the crypto ecosystem fragmented across dozens of chains, each with its own token standards and ecosystems.
But that fragmentation created massive security challenges. Bridges must lock assets on one chain while minting equivalent tokens on another, creating honey pots worth hundreds of millions that attract sophisticated attackers. Multiple major bridge hacks occurred in 2022, with Ronin Bridge losing $625 million in March and Wormhole losing $325 million in February.
The Nomad hack was smaller than those but followed similar patterns: complex smart contract systems, inadequate testing, and slow incident response.
See also: ChatGPT Exposes $1M Pig Butchering Scam After San Jose Widow Loses Everything
Neither Illusory Systems nor the FTC responded to requests for comment about the proposed settlement. The 30-day comment period will determine whether the terms change before becoming final, though major modifications seem unlikely given that both parties have already agreed to the current framework.
For Nomad users who lost funds in August 2022, the settlement offers partial relief and an acknowledgment that the company failed its security promises. Whether it prevents similar failures at other bridges remains an open question that depends on how seriously the industry takes the FTC’s newfound willingness to hold platforms accountable for security marketing versus security reality.
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.
