Article Details

Blockchain company Nomad to repay users under FTC deal after $186M cyberattack. Regulator makes various additional demands over alleged cybersecurity failings. In proposing a settlement agreement, the Federal Trade Commission (FTC) says that Illusory Systems must repay users funds lost in a 2022 cyberattack. Illusory Systems, which trades as Nomad, allegedly misled users about the security of its cryptocurrency bridge, which was compromised in 2022 in an attack that led to $186 million worth of funds being stolen. The FTC alleged that Nomad pushed an update in June 2022 containing "inadequately tested code" that, in turn, introduced a "significant vulnerability" that was exploited around a month later. The FTC acknowledged that some of these funds were recovered, but Nomad's customers ultimately lost out on approximately $100 million. Bounty is live Soon after the breach, Nomad established a "white hat" bounty program open to anyone who stole funds during the attack. It said those who return at least 90 percent of what they stole will be considered a "white hat," and in return, it would not pursue legal action against them. Those who complied would also receive 10 percent of whatever sum they returned as a gesture of goodwill. The FTC's proposed settlement agreement, published this week, would require Nomad to repay around $37.5 million to users who remain out of pocket within a year of the agreement being signed, or 30 days after the end of any litigation related to the breach, whichever comes later. Nomad would also be required to implement a comprehensive security program, assign an employee to maintain that program, and agree to regular, third-party assessments. The company would also be barred from making any further misrepresentations about the security of its products. The complaint against Nomad alleges that, despite pitching its blockchain bridge as a "security-first" product at the time, the organization behind it fell short in various aspects of cybersecurity. The FTC alleges that it failed to adopt secure coding practices, implement a vulnerability management program, and deploy technologies that would have limited the impact of a breach on its users. It went on to claim that these failures and lack of incident response capabilities contributed to the total loss of funds. Nomad has agreed to the terms of the proposed settlement, which will be finalized following a public comment period and a second, final FTC vote. "The FTC Act requires companies to take reasonable security measures," said Christopher Mufarrige, director at the FTC's Bureau of Consumer Protection. "It's important that companies live up to their security promises to consumers." The company has a highly limited digital presence at present. Public communications have been nonexistent since 2023, and its website displays no information about how to contact it. The Register reached out to Nomad's lawyer for more information, but did not hear back by publication time.