FTC orders Nomad operator to compensate for damages after hack
The regulator acknowledged that the company misled users about the platform’s security level
17.12.2025 - 11:10
310
3 min
0
Key points:
- The FTC ordered Illusory Systems to return funds to users affected by the $186 million hack of the Nomad cross-chain bridge in 2022
- The regulator said the company advertised “security-first” but failed to provide basic code protection and testing measures.
- Illusory Systems must implement a formal cybersecurity program and undergo independent audits every two years.
The US Federal Trade Commission (FTC) announced an agreement with Illusory Systems, the operator of the Nomad cross-chain bridge, which was hacked in 2022. As a result of the attack, digital assets worth approximately $186 million were withdrawn from the platform. The regulator concluded that the company misled users about the security level of the service.
According to the FTC, the critical vulnerability arose after a software update in June 2022. By August 1, attackers had already begun to withdraw funds en masse, exploiting a bug in one of the smart contracts. The agency estimates that user losses exceeded $100 million.
Regulator’s requirements for Illusory Systems
Under the proposed agreement, Illusory Systems is prohibited from misrepresenting its security measures. The company is required to implement a formal information security program, establish incident response processes, and undergo independent security audits every two years.
The cross-chain bridge operator must also return to users all funds that were recovered after the hack but have not yet been paid to the victims. The FTC emphasized that the lack of a centralized response system prevented Nomad from quickly stopping the attack.
How the Nomad hack happened
Nomad was launched in 2021 and was used to transfer tokens between different blockchain networks, including Ethereum and Avalanche. During the attack, the attackers withdrew ETH, USDC, DAI, and WBTC. In the days that followed, the team managed to recover about $22 million of the stolen funds.
The FTC stated that Illusory Systems did not follow generally accepted secure programming practices, including comprehensive unit testing prior to deploying updates. At the same time, the platform was positioned as security-focused in its marketing materials.
Arrest of Alexander Gurevich
Earlier, Israeli authorities arrested Alexander Gurevich, suspected of organizing the exploitation of the Nomad cross-chain bridge vulnerability. He was arrested on May 1, 2025, at Ben Gurion Airport before flying to Russia. According to the authorities, he legally changed his name and obtained a new passport the day before his arrest.
The US Attorney’s Office claims that it was Gurevich who first exploited the Nomad vulnerability on August 1, 2022, and withdrew approximately $2,89 million in cryptocurrency. After that, the exploit was widely used by other attackers, resulting in total losses of nearly $190 million.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Telegram
Twitter