**FTC Orders Nomad to Return Stolen Funds and Reform Security After $186M Crypto Hack**
The Federal Trade Commission (FTC) has reached a settlement with Illusory Systems (operating as Nomad), requiring the company to return recovered funds to victims and implement sweeping cybersecurity reforms. The order follows a 2022 breach in which hackers exploited a vulnerability in Nomad’s Token Bridge—a smart contract solution designed to transfer cryptocurrency across blockchains—stealing $186 million from users.
The FTC’s investigation found that Nomad misrepresented its security practices, advertising its platform as “high security” and “security first” while failing to implement basic safeguards. In June 2022, the company deployed untested code after a security audit, leaving a critical flaw unaddressed. By July 2022, attackers exploited the vulnerability, draining user funds. White hat hackers later secured $37 million of the stolen assets, which Nomad is now required to return.
The FTC’s complaint highlighted systemic security failures, including:
- Inadequate testing: Most pre-deployment checks focused on functionality, not security.
- Lack of safeguards: No automated fraud monitoring, circuit breakers, or kill switches to halt suspicious transactions.
- Delayed response: The breach was detected via social media, not internal systems, and engineers scrambled to respond—including relaying code fixes mid-flight.
- Ignored warnings: Months before the hack, an engineer warned leadership about weak testing practices, citing a prior incident where untested code caused losses.
Nomad also overrode internal efforts to reimburse users after a separate bug in its web interface led to losses, with executives reportedly stating the platform offered “no guarantees of safety.”
Under the settlement, Nomad must develop a comprehensive cybersecurity program, address flaws identified by the FTC, and submit to third-party assessments. The case underscores the FTC’s stance that companies must deliver on security promises—or face enforcement action.
Source: https://cyberscoop.com/ftc-settles-with-illusory-systems-in-2022-cryptocurrency-hack/
Illusory cybersecurity rating report: https://www.rankiteo.com/company/illusoryio
Federal Trade Commission cybersecurity rating report: https://www.rankiteo.com/company/federal-trade-commission
"id": "ILLFED1765936610",
"linkid": "illusoryio, federal-trade-commission",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of Token Bridge smart '
'contracts',
'industry': 'Blockchain, FinTech',
'name': 'Illusory Systems (Nomad)',
'type': 'Cryptocurrency company'}],
'attack_vector': 'Exploitation of a software vulnerability in smart contracts',
'data_breach': {'data_exfiltration': 'Yes, $186 million stolen',
'sensitivity_of_data': 'High (financial assets)',
'type_of_data_compromised': 'Cryptocurrency funds'},
'date_detected': 'July 2022',
'date_publicly_disclosed': 'July 2022',
'description': "Hackers exploited a vulnerability in Illusory Systems' "
'(Nomad) Token Bridge cryptocurrency smart contract solution, '
'leading to the theft of $186 million in cryptocurrency funds '
'from users. The FTC settlement requires the company to return '
'recovered funds to victims and implement security reforms.',
'impact': {'brand_reputation_impact': 'Significant damage due to '
'misrepresentation of security '
'capabilities',
'data_compromised': 'Cryptocurrency funds',
'financial_loss': '$186 million',
'legal_liabilities': 'FTC settlement, potential fines, and '
'regulatory actions',
'operational_impact': 'Token Bridge was emptied of assets; delayed '
'response due to lack of automated '
'monitoring',
'payment_information_risk': 'Cryptocurrency funds at risk',
'systems_affected': 'Token Bridge smart contracts, cryptocurrency '
'wallets'},
'investigation_status': 'Completed (FTC settlement reached)',
'lessons_learned': 'Failure to implement secure coding practices, lack of '
'automated fraud monitoring, inadequate security staffing, '
'and misrepresentation of security capabilities led to '
'catastrophic financial loss.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Implementation of a '
'comprehensive cybersecurity '
'plan, third-party '
'assessments, and return of '
'recovered funds to victims.',
'root_causes': 'Inadequate code testing, lack of '
'secure coding practices, absence '
'of automated fraud monitoring, '
'insufficient security staff, and '
'misrepresentation of security '
'capabilities.'},
'recommendations': 'Implement secure coding practices, conduct thorough '
'security testing, establish automated fraud monitoring, '
'hire adequate security staff, and avoid misrepresenting '
'security capabilities.',
'references': [{'source': 'Federal Trade Commission'}],
'regulatory_compliance': {'legal_actions': 'FTC settlement requiring security '
'reforms and fund return',
'regulations_violated': 'FTC Act (unfair or '
'deceptive practices)'},
'response': {'containment_measures': 'Shut down the bridge after assets were '
'drained',
'enhanced_monitoring': 'Required as part of FTC settlement',
'incident_response_plan_activated': 'Yes, but delayed and '
'chaotic',
'recovery_measures': 'Return of $37 million safeguarded by white '
'hat hackers to users',
'remediation_measures': 'Implementation of a comprehensive '
'cybersecurity plan as part of FTC '
'settlement'},
'threat_actor': 'Malicious hackers',
'title': 'Nomad Token Bridge Hack',
'type': 'Data Breach, Cryptocurrency Theft',
'vulnerability_exploited': 'Inadequately tested code in Token Bridge smart '
'contracts'}