FTC Reaches Preliminary Agreement with Illusory Systems
The Federal Trade Commission (FTC) announced on Tuesday that it has reached a preliminary agreement with Illusory Systems Inc., the entity behind the Nomad cryptocurrency bridge, regarding a significant hack that occurred in 2022. This cyber attack resulted in the theft of nearly all assets from the Nomad platform, totaling around $186 million, ultimately leading to consumer losses exceeding $100 million.
Settlement Terms
As part of the proposed settlement, Illusory Systems will be:
- Prohibited from providing false information about its security measures.
- Mandated to develop an official information-security program.
- Required to undergo independent security evaluations every two years.
- Obligated to return any finances that have been recovered but not yet reimbursed to affected customers.
Details of the Hack
The exploit transpired due to inadequate incident response protocols, which left Nomad dependent on a single engineer, who was traveling by air, to communicate emergency code adjustments with a responding incident manager. This delay meant that Nomad could not halt the hack until after its funds had been completely drained.
The FTC’s complaint noted that Illusory Systems misidentified its product as “security-first” while failing to properly test its software and establish clear processes for identifying vulnerabilities and responding to incidents. These oversights culminated in the exposure of a critical weakness within a smart contract following a code update in June 2022. Consequently, on August 1, hackers began to exploit this vulnerability, leading to the unprecedented financial losses.
The FTC highlighted that despite the company’s marketing emphasis on the importance of rigorous testing for smart contracts, Nomad often fell short of those standards as acknowledged by its engineers prior to the attack.
Recovery and Legal Actions
After the breach, the firm managed to recover $22 million from the stolen virtual assets. Earlier this year, Alexander Gurevich, a suspect in the incident, was arrested in Israel after attempting to flee to Moscow, having recently changed his name to evade authorities.
The FTC formalized its findings by stating that there are grounds for believing Illusory Systems violated the Federal Trade Commission Act, thus leading to the issuance of a complaint against the company. The agency has placed the executed Consent Agreement on public record for a 30-day period to allow for public feedback. Neither the FTC nor Illusory Systems has provided comments on the matter.
