FTC Reaches Proposed Settlement with Nomad Operator Over $186M 2022 Crypto Bridge Hack
The Federal Trade Commission (FTC) has reached a proposed settlement with Illusory Systems Inc., the operator of the Nomad cross-chain bridge, concerning the significant hack in 2022.
The 2022 exploit drained about $186 million in assets including ETH, USDC, DAI, and WBTC, resulting in consumer losses exceeding $100 million. Nomad, launched in 2021 to enable cross-chain transfers across Ethereum and Avalanche, introduced a code update in June 2022 that created the vulnerability later exploited in August 2022.
The FTC alleges Nomad marketed itself as "security-first" but failed to adequately test code, maintain vulnerability reporting, or implement incident-response practices. During the hack, Nomad was unable to stop the exploit in real time, reportedly relying on an engineer on a plane relaying code snippets to the incident manager.
Nomad recovered approximately $22 million of the roughly $190 million stolen. Israeli authorities previously arrested Alexander Gurevich for initiating the exploit.
The proposed consent agreement would bar Illusory Systems from misrepresenting security practices, require a formal information-security program, independent biennial security assessments, and the return of recovered funds not yet repaid. This agreement has been placed on public record for 30 days to solicit comments.
