FTC Orders Nomad to Return Stolen Funds and Overhaul Security After $186M Crypto Hack
The Federal Trade Commission (FTC) has reached a settlement with Illusory Systems (operating as Nomad), requiring the company to return recovered funds to victims and implement sweeping security reforms following a 2022 hack that drained $186 million in cryptocurrency from users. The breach exploited a vulnerability in Nomad’s Token Bridge, a smart contract solution designed to transfer assets across blockchains.
The FTC’s investigation found that Nomad misrepresented its security practices, advertising its platform as “high security” and “security first” while failing to implement basic safeguards. In June 2022, the company deployed untested code after a security audit, and by July 2022, hackers exploited the flaw to steal funds. White hat hackers later secured $37 million of the stolen assets, which Nomad must now return to users.
Key security failures included:
- No adequate testing—Engineers prioritized functionality over security, with minimal unit testing before deployment.
- Lack of monitoring—The company had no automated fraud detection, learning of the breach from a social media post rather than internal alerts.
- No kill switch—Without circuit breakers or emergency protocols, security teams were unable to halt the attack until after funds were drained.
- Understaffed security—Nomad lacked dedicated security personnel, clear vulnerability reporting, and a written security plan.
Internal communications revealed warnings from engineers about weak code testing and previous incidents where the company refused to reimburse users for losses caused by bugs. Despite marketing its platform as secure, executives acknowledged in private that the system was “free-to-use” with no guarantees of safety.
As part of the settlement, Nomad must develop a comprehensive cybersecurity program, address flaws identified by the FTC, and submit to third-party assessments. The FTC emphasized that companies must “live up to their security promises” under the FTC Act. The case underscores the risks of cross-chain bridges, which have become prime targets for cybercriminals due to their high-value transactions.
Source: https://cyberscoop.com/ftc-settles-with-illusory-systems-in-2022-cryptocurrency-hack/
Illusory cybersecurity rating report: https://www.rankiteo.com/company/illusoryio
"id": "ILL1766547459",
"linkid": "illusoryio",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of Token Bridge '
'cryptocurrency smart contract '
'solution',
'industry': 'Cryptocurrency, Blockchain',
'name': 'Illusory Systems (Nomad)',
'type': 'Company'}],
'attack_vector': 'Exploitation of a software vulnerability in smart contract '
'code',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High (financial assets)',
'type_of_data_compromised': 'Cryptocurrency funds'},
'date_detected': 'July 2022',
'date_publicly_disclosed': 'July 2022',
'description': "Hackers exploited a vulnerability in Illusory Systems' "
'(Nomad) Token Bridge cryptocurrency smart contract solution, '
'leading to the theft of $186 million in cryptocurrency funds. '
'The FTC settlement requires the company to return recovered '
'funds to victims and implement security reforms.',
'impact': {'brand_reputation_impact': 'Significant damage due to '
'misrepresentation of security '
'capabilities',
'data_compromised': 'Cryptocurrency funds',
'financial_loss': '$186 million',
'legal_liabilities': 'FTC settlement, requirement to return stolen '
'funds and implement security reforms',
'operational_impact': 'Delayed response to breach, reliance on '
'manual intervention to halt transactions',
'payment_information_risk': 'Cryptocurrency theft',
'systems_affected': 'Token Bridge smart contract solution'},
'investigation_status': 'Completed (FTC settlement reached)',
'lessons_learned': 'Importance of secure coding practices, adequate testing, '
'automated fraud monitoring, and transparency in security '
'claims. Need for clear vulnerability reporting processes '
'and security staffing.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Implementation of a '
'comprehensive cybersecurity '
'plan, return of stolen '
'funds, and cooperation with '
'third-party assessors as '
'part of FTC settlement.',
'root_causes': 'Inadequate code testing, lack of '
'secure coding practices, absence '
'of automated fraud monitoring, '
'insufficient security staff, and '
'misrepresentation of security '
'capabilities.'},
'recommendations': 'Implement secure coding practices, conduct thorough '
'security testing, establish automated fraud monitoring, '
'hire adequate security staff, develop a written security '
'plan, and avoid misrepresenting security capabilities.',
'references': [{'source': 'Federal Trade Commission'}],
'regulatory_compliance': {'legal_actions': 'FTC settlement requiring security '
'reforms and return of stolen '
'funds',
'regulations_violated': 'FTC Act (unreasonable '
'security measures, '
'misrepresentation of '
'security capabilities)'},
'response': {'containment_measures': 'Manual shutdown of the bridge after '
'assets were drained',
'enhanced_monitoring': 'Required as part of FTC settlement',
'incident_response_plan_activated': 'Yes, but delayed and '
'ineffective',
'recovery_measures': 'Return of $37 million safeguarded by white '
'hat hackers to users',
'remediation_measures': 'Implementation of a comprehensive '
'cybersecurity plan as part of FTC '
'settlement'},
'threat_actor': 'Malicious hackers',
'title': 'Nomad Token Bridge Cryptocurrency Heist',
'type': 'Data Breach, Cryptocurrency Theft',
'vulnerability_exploited': 'Inadequately tested code in Token Bridge smart '
'contracts, lack of secure coding practices, and '
'absence of automated fraud monitoring'}