The U.S. Federal Trade Commission has moved to hold Illusory Systems, which operated the cryptocurrency bridge Nomad, financially accountable for one of the most damaging crypto security breaches of 2022, accusing the company of overstating the safety of its platform while failing to meet basic cybersecurity standards.
In a proposed settlement agreement released this week, the FTC said Nomad must repay users who lost funds in the cyberattack that ultimately drained about $186 million from the bridge. While some assets were later recovered, regulators estimate customers were left with losses of roughly $100 million.
The FTC’s complaint centers on events leading up to the breach. According to the agency, Nomad deployed a software update in June 2022 that contained what it described as “inadequately tested code.” That update allegedly introduced a critical vulnerability, which attackers exploited about a month later, triggering a rapid and chaotic drain of funds from the bridge. The incident quickly became one of the most widely cited examples of how fragile cross-chain infrastructure can be when security controls fail.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
Nomad had marketed itself at the time as a “security-first” blockchain bridge, a claim the FTC says was not backed up by its internal practices. The agency alleges the company failed to adopt secure coding standards, did not maintain an effective vulnerability management program, and lacked safeguards that could have limited the scale of losses once the breach began. It also said Nomad’s incident response capabilities were insufficient, allowing the exploit to spiral and compounding user losses.
Under the proposed settlement, Nomad would be required to repay about $37.5 million to users who remain out of pocket. The payment would be due within one year of the agreement being finalized, or within 30 days after the conclusion of any related litigation, whichever comes later. The FTC acknowledged that the amount falls well short of total losses but framed the repayment as a concrete step toward restitution.
Beyond financial redress, the settlement imposes significant operational requirements. Nomad would have to establish a comprehensive security program, designate a specific employee responsible for maintaining it, and submit to regular third-party security assessments. The company would also be permanently barred from making misrepresentations about the security of its products, a restriction aimed at preventing similar claims in future ventures.
Nomad has agreed to the proposed terms. The settlement will now go through a public comment period before returning to the FTC for a second and final vote, a standard process for agency enforcement actions.
“This case sends a clear message,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “The FTC Act requires companies to take reasonable security measures. It’s important that companies live up to their security promises to consumers.”
The case also highlights the challenges of accountability in the crypto sector years after high-profile failures. Nomad today has a minimal digital footprint. Public communications have been absent since 2023, and its website provides no clear contact information, underscoring how difficult it can be for affected users to seek answers long after a platform has effectively gone dark.
The action against Nomad, however, signals a continued willingness to use consumer protection laws to police cybersecurity claims in crypto and fintech, even when companies are no longer active. For users, it offers limited financial recovery, but also a rare acknowledgment from a U.S. regulator that exaggerated security promises in the crypto market can carry real consequences.