The U.S. Federal Trade Commission (FTC) has taken formal action against the company behind the Nomad cross-chain bridge, accusing it of misleading users about security practices that preceded one of the largest crypto bridge exploits in 2022. The proposed settlement targets Illusory Systems Inc., the operator of Nomad, following a hack that drained nearly all of the protocol’s funds and left consumers with losses exceeding $100 million.
According to the FTC, the case highlights serious failures in smart-contract security, internal controls, and incident response at a time when cross-chain bridges were rapidly becoming critical infrastructure in the crypto ecosystem.
FTC Settlement Details and Allegations Against Nomad
In a proposed settlement announced Tuesday, the FTC said Illusory Systems must stop making deceptive claims about its security posture and implement a formal information-security program. The agreement would also require the company to undergo independent security audits every two years and return any recovered assets that have not already been repaid to users.
The agency alleges that a June 2022 code update introduced a critical vulnerability into one of Nomad’s smart contracts. That flaw was exploited on August 1, 2022, triggering a wave of copycat attacks that ultimately resulted in roughly $186 million in stolen cryptocurrency. Assets taken included Ethereum (ETH), USDC, DAI, and Wrapped Bitcoin (WBTC). Nomad later managed to recover approximately $22 million of the stolen funds.
Despite marketing itself as “security-first,” the FTC complaint says Nomad failed to conduct adequate testing, lacked a clear vulnerability disclosure process, and did not follow basic secure coding practices such as comprehensive unit testing. These shortcomings, the agency argues, directly contributed to the scale and speed of the exploit.
Engineering Failures, Incident Response, and Legal Fallout
The FTC’s filing paints a stark picture of Nomad’s internal operations during the crisis. As the exploit unfolded, the company was allegedly unable to respond effectively. According to the complaint, Nomad’s incident response was so disorganized that staff relied on an engineer who was on a flight at the time, communicating code snippets through chat messages. By the time the bridge could be paused, most of the funds had already been drained.
Launched in 2021, Nomad was designed to let users move tokens between blockchains such as Ethereum and Avalanche. The exploit became a high-profile example of the systemic risks posed by smart-contract bugs and weak operational controls in cross-chain infrastructure.
The FTC stated that it has “reason to believe” Illusory Systems violated the Federal Trade Commission Act. The proposed settlement has been placed on the public record for a 30-day comment period before it can be finalized.
In a related development, Israeli authorities arrested Alexander Gurevich earlier this year, accusing him of carrying out the Nomad exploit. Police say Gurevich was detained at an Israeli airport while attempting to flee to Moscow after legally changing his name, allegedly in an effort to avoid detection.
Together, the enforcement action and criminal case signal growing regulatory and law-enforcement scrutiny of crypto infrastructure providers, particularly those whose security failures can lead to widespread consumer harm.
