The regulator acknowledged that the company misled users about the platform’s security level

FTC orders Nomad operator to compensate for damages after hack

17.12.2025 - 11:10

310

3 min

Key points:

  • The FTC ordered Illusory Systems to return funds to users affected by the $186 million hack of the Nomad cross-chain bridge in 2022
  • The regulator said the company advertised “security-first” but failed to provide basic code protection and testing measures.
  • Illusory Systems must implement a formal cybersecurity program and undergo independent audits every two years.

The US Federal Trade Commission (FTC) announced an agreement with Illusory Systems, the operator of the Nomad cross-chain bridge, which was hacked in 2022. As a result of the attack, digital assets worth approximately $186 million were withdrawn from the platform. The regulator concluded that the company misled users about the security level of the service.

According to the FTC, the critical vulnerability arose after a software update in June 2022. By August 1, attackers had already begun to withdraw funds en masse, exploiting a bug in one of the smart contracts. The agency estimates that user losses exceeded $100 million.

Regulator’s requirements for Illusory Systems

Under the proposed agreement, Illusory Systems is prohibited from misrepresenting its security measures. The company is required to implement a formal information security program, establish incident response processes, and undergo independent security audits every two years.

The cross-chain bridge operator must also return to users all funds that were recovered after the hack but have not yet been paid to the victims. The FTC emphasized that the lack of a centralized response system prevented Nomad from quickly stopping the attack.

How the Nomad hack happened

Nomad was launched in 2021 and was used to transfer tokens between different blockchain networks, including Ethereum and Avalanche. During the attack, the attackers withdrew ETH, USDC, DAI, and WBTC. In the days that followed, the team managed to recover about $22 million of the stolen funds.

The FTC stated that Illusory Systems did not follow generally accepted secure programming practices, including comprehensive unit testing prior to deploying updates. At the same time, the platform was positioned as security-focused in its marketing materials.

Arrest of Alexander Gurevich

Earlier, Israeli authorities arrested Alexander Gurevich, suspected of organizing the exploitation of the Nomad cross-chain bridge vulnerability. He was arrested on May 1, 2025, at Ben Gurion Airport before flying to Russia. According to the authorities, he legally changed his name and obtained a new passport the day before his arrest.

The US Attorney’s Office claims that it was Gurevich who first exploited the Nomad vulnerability on August 1, 2022, and withdrew approximately $2,89 million in cryptocurrency. After that, the exploit was widely used by other attackers, resulting in total losses of nearly $190 million.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy