Blockchain company Nomad to repay users under FTC deal after $186M cyberattack
(2025/12/17)
- Reference: 1765987419
- News link: https://www.theregister.co.uk/2025/12/17/nomad_ftc_settlement/
- Source link:
In proposing a settlement agreement, the Federal Trade Commission (FTC) says that Illusory Systems must repay users funds lost in a 2022 cyberattack.
Illusory Systems, which trades as Nomad, allegedly misled users about the security of its cryptocurrency bridge, which was [1]compromised in 2022 in an attack that led to $186 million worth of funds being stolen.
The FTC alleged that Nomad pushed an update in June 2022 containing "inadequately tested code" that, in turn, introduced a "significant vulnerability" that was exploited around a month later.
[2]
The FTC acknowledged that some of these funds were recovered, but Nomad's customers ultimately lost out on approximately $100 million.
Bounty is live
Soon after the breach, Nomad [3]established a "white hat" bounty program open to anyone who stole funds during the attack.
It said those who return at least 90 percent of what they stole will be considered a "white hat," and in return, it would not pursue legal action against them. Those who complied would also receive 10 percent of whatever sum they returned as a gesture of goodwill.
The FTC's proposed settlement agreement, published this week, would require Nomad to repay around $37.5 million to users who remain out of pocket within a year of the agreement being signed, or 30 days after the end of any litigation related to the breach, whichever comes later.
Nomad would also be required to implement a comprehensive security program, assign an employee to maintain that program, and agree to regular, third-party assessments.
[4]
[5]
The company would also be barred from making any further misrepresentations about the security of its products.
The complaint against Nomad alleges that, despite pitching its blockchain bridge as a "security-first" product at the time, the organization behind it fell short in various aspects of cybersecurity.
[6]FTC schools edtech outfit after intruder walked off with 10M student records
[7]FTC's $25.5M scam refund treats victims to $34 each
[8]Trump fires Democrat FTC commissioners, presaging big tech policy shifts
[9]Don't cave to Euro censorship or backdoor demands, Uncle Sam warns US tech firms
The FTC alleges that it failed to adopt secure coding practices, implement a vulnerability management program, and deploy technologies that would have limited the impact of a breach on its users.
It went on to claim that these failures and lack of [10]incident response capabilities contributed to the total loss of funds.
[11]
Nomad has agreed to the terms of the proposed settlement, which will be finalized following a public comment period and a second, final FTC vote.
"The FTC Act requires companies to take reasonable security measures," said Christopher Mufarrige, director at the FTC's Bureau of Consumer Protection. "It's important that companies live up to their security promises to consumers."
The company has a highly limited digital presence at present. Public communications have been nonexistent since 2023, and its website displays no information about how to contact it.
[12]
The Register reached out to Nomad's lawyer for more information, but did not hear back by publication time. ®
Get our [13]Tech Resources
[1] https://www.theregister.com/2022/08/02/flash_mob_robs_nomad_crypto/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://docs.nomad.xyz/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/12/02/ftc_illuminate/
[7] https://www.theregister.com/2025/03/11/ftcs_255m_scam_refund/
[8] https://www.theregister.com/2025/03/19/trump_ftc_fired/
[9] https://www.theregister.com/2025/08/22/ftc_us_censorship/
[10] https://www.theregister.com/2025/03/10/incident_response_advice/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Illusory Systems, which trades as Nomad, allegedly misled users about the security of its cryptocurrency bridge, which was [1]compromised in 2022 in an attack that led to $186 million worth of funds being stolen.
The FTC alleged that Nomad pushed an update in June 2022 containing "inadequately tested code" that, in turn, introduced a "significant vulnerability" that was exploited around a month later.
[2]
The FTC acknowledged that some of these funds were recovered, but Nomad's customers ultimately lost out on approximately $100 million.
Bounty is live
Soon after the breach, Nomad [3]established a "white hat" bounty program open to anyone who stole funds during the attack.
It said those who return at least 90 percent of what they stole will be considered a "white hat," and in return, it would not pursue legal action against them. Those who complied would also receive 10 percent of whatever sum they returned as a gesture of goodwill.
The FTC's proposed settlement agreement, published this week, would require Nomad to repay around $37.5 million to users who remain out of pocket within a year of the agreement being signed, or 30 days after the end of any litigation related to the breach, whichever comes later.
Nomad would also be required to implement a comprehensive security program, assign an employee to maintain that program, and agree to regular, third-party assessments.
[4]
[5]
The company would also be barred from making any further misrepresentations about the security of its products.
The complaint against Nomad alleges that, despite pitching its blockchain bridge as a "security-first" product at the time, the organization behind it fell short in various aspects of cybersecurity.
[6]FTC schools edtech outfit after intruder walked off with 10M student records
[7]FTC's $25.5M scam refund treats victims to $34 each
[8]Trump fires Democrat FTC commissioners, presaging big tech policy shifts
[9]Don't cave to Euro censorship or backdoor demands, Uncle Sam warns US tech firms
The FTC alleges that it failed to adopt secure coding practices, implement a vulnerability management program, and deploy technologies that would have limited the impact of a breach on its users.
It went on to claim that these failures and lack of [10]incident response capabilities contributed to the total loss of funds.
[11]
Nomad has agreed to the terms of the proposed settlement, which will be finalized following a public comment period and a second, final FTC vote.
"The FTC Act requires companies to take reasonable security measures," said Christopher Mufarrige, director at the FTC's Bureau of Consumer Protection. "It's important that companies live up to their security promises to consumers."
The company has a highly limited digital presence at present. Public communications have been nonexistent since 2023, and its website displays no information about how to contact it.
[12]
The Register reached out to Nomad's lawyer for more information, but did not hear back by publication time. ®
Get our [13]Tech Resources
[1] https://www.theregister.com/2022/08/02/flash_mob_robs_nomad_crypto/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://docs.nomad.xyz/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/12/02/ftc_illuminate/
[7] https://www.theregister.com/2025/03/11/ftcs_255m_scam_refund/
[8] https://www.theregister.com/2025/03/19/trump_ftc_fired/
[9] https://www.theregister.com/2025/08/22/ftc_us_censorship/
[10] https://www.theregister.com/2025/03/10/incident_response_advice/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aULhp6jWe42KKeGUy_8KLgAAAYU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Go on then...
"The Register reached out to Nomad's lawyer for more information, but did not hear back by publication time."
Well if they're leading a Nomadic lifestyle they could really be anywhere. Probably looking for some new mugs to scam investors to facilitate.
Also, Illusory Systems is the perfect name for a company pretending their product is something is most definitely isn't.