FTC Orders Nomad to Return Stolen Funds and Overhaul Security After $186M Crypto Hack The Federal Trade Commission (FTC) has reached a settlement with Illusory Systems (operating as Nomad), requiring the company to return recovered funds to victims and implement sweeping security reforms following a 2022 hack that drained $186 million in cryptocurrency from users. The breach exploited a vulnerability in Nomad’s Token Bridge, a smart contract solution designed to transfer assets across blockchains. The FTC’s investigation found that Nomad misrepresented its security practices, advertising its platform as “high security” and “security first” while failing to implement basic safeguards. In June 2022, the company deployed untested code after a security audit, and by July 2022, hackers exploited the flaw to steal funds. White hat hackers later secured $37 million of the stolen assets, which Nomad must now return to users. Key security failures included: - No adequate testing—Engineers prioritized functionality over security, with minimal unit testing before deployment. - Lack of monitoring—The company had no automated fraud detection, learning of the breach from a social media post rather than internal alerts. - No kill switch—Without circuit breakers or emergency protocols, security teams were unable to halt the attack until after funds were drained. - Understaffed security—Nomad lacked dedicated security personnel, clear vulnerability reporting, and a written security plan. Internal communications revealed warnings from engineers about weak code testing and previous incidents where the company refused to reimburse users for losses caused by bugs. Despite marketing its platform as secure, executives acknowledged in private that the system was “free-to-use” with no guarantees of safety. As part of the settlement, Nomad must develop a comprehensive cybersecurity program, address flaws identified by the FTC, and submit to third-party assessments. The FTC emphasized that companies must “live up to their security promises” under the FTC Act. The case underscores the risks of cross-chain bridges, which have become prime targets for cybercriminals due to their high-value transactions.