FTC Compels Nomad Operator to Repay Users After $186M Crypto Bridge Hack in 2022
The Federal Trade Commission (FTC) announced a proposed settlement with Illusory Systems Inc., operator of the Nomad cryptocurrency bridge, following a 2022 hack that resulted in approximately $186 million in stolen assets and over $100 million in consumer losses. Illusory is prohibited from misrepresenting its security measures, must establish a formal information-security program, undergo independent security assessments every two years, and return any recovered funds to affected users. The FTC found Nomad failed to implement adequate incident response systems or security practices, including proper code testing and clear vulnerability reporting, despite marketing itself as “security-first.” A June 2022 code update introduced a critical vulnerability, exploited beginning August 1, 2022. In the aftermath, Nomad recovered $22 million. Earlier in 2024, Israeli authorities arrested Alexander Gurevich for allegedly orchestrating the attack. The FTC’s consent agreement will be open for public comment for 30 days.
