FTC moves to settle Nomad crypto hack case after $186M theft

The Federal Trade Commission (FTC) released a statement on Tuesday, December 16, indicating that it has proposed a settlement with Illusory Systems Inc., the operator of the Nomad cryptocurrency bridge. This deal is linked to a 2022 hack that resulted in significant losses after nearly all the funds on the platform were stolen.

If, by any chance, the settlement proposal gets approved, Illusory will not be permitted to deceive anyone regarding its security practices. This proposal will require the platform to develop an official information security initiative, undergo independent security checks every two years, and return any recovered funds that have not yet been returned to the users who were affected.

To determine the exact amount lost in this hack, reporters questioned the FTC about the information it had regarding this practice. The federal agency highlighted that the loss incurred in this hack amounted to approximately $186 million in digital assets. This left clients suffering losses of more than $100 million. 

Nomad crypto hack incident raises safety concerns among crypto investors 

The FTC mentioned in its original complaint that Nomad failed to effectively prevent the hack because it lacked the right incident response systems in place. According to the agency, “They had to depend on an engineer who was on a plane to send code snippets back and forth with the incident manager. Because of this delay, Nomad couldn’t shut down the bridge until after it lost all its assets.” 

In the proposed agreement, the FTC highlighted that it decided to submit a Complaint, indicating the charges, after discovering sufficient evidence to support its claim that the Respondent had breached the Federal Trade Commission Act. 

This conclusion followed a thorough investigation into the matter that was conducted by the commission. “The Commission has accepted the signed Consent Agreement and made it public for 30 days to allow for public comments,” the agency added.

Meanwhile, established in 2021, Nomad operated as a blockchain bridge that enabled users to transfer tokens across various blockchain networks, including Ethereum and Avalanche.

According to a report from the FTC, a code update implemented in June 2022 resulted in a major defect in one of the smart contracts on Nomad. Hackers began to take advantage of the situation on August 1, 2022, resulting in substantial losses of approximately $186 million in Ethereum, USDC, DAI, and WBTC. 

Illusory Systems had marketed Nomad as a Safety-focused platform, according to the agency’s complaint. However, the commission argued that they failed to properly test the code or keep clear processes for reporting suspicious incidents and responding to them.

The FTC accuses Illusory Systems of ignoring basic safety measures

The federal agency alleged that Illusory Systems failed to establish basic safety measures that could have mitigated the losses clients faced and did not comply with established secure coding practices, such as conducting proper unit tests before introducing the code.

The FTC stated that although Nomad pointed out that it had adopted thorough testing of smart contracts in its advertising, Nomad engineers admitted that the platform did not frequently test them adequately before the hack took place.

After the hack incident, Nomad was able to recover around $22 million of the $190 million that was robbed. This situation illustrates a growing trend in the cryptocurrency industry, where criminals often steal substantial sums of clients’ funds. To support this claim, Israeli authorities reported earlier this year that they managed to arrest Alexander Gurevich for supposedly starting the Nomad bridge exploit. 

Reports from the police stated that Gurevich was caught at an Israel-based airport while attempting to flee to Moscow just a few days after he lawfully changed his name to remain hidden from the authorities.

If you're reading this, you’re already ahead. Stay there with our newsletter.