The FTC announced a proposed order against Illusory Systems Inc., operator of the Nomad crypto bridge, after a June 2022 code change introduced a vulnerability exploited in August 2022 that led to roughly $186 million stolen. The settlement would require the company to return recovered funds to affected users, implement a comprehensive information security program, and submit to independent biennial assessments.

The Federal Trade Commission publicized a proposed enforcement order against Illusory Systems Inc., the operator of the Nomad cross-chain crypto bridge, alleging that a June 2022 code change introduced a security vulnerability that was later exploited in an August 2022 hack that resulted in approximately $186 million being stolen and an estimated $100 million net consumer loss. Under the proposed settlement, Illusory Systems would be barred from making deceptive claims about its security practices, required to implement and maintain a comprehensive information security program tailored to risks associated with crypto bridging and custody, and subject to independent security assessments every two years. The order also contemplates the return of recovered funds to affected users and additional remedial obligations to prevent similar breaches going forward. The FTC framed the action as addressing not only the financial harm from the exploit but also broader consumer protection failures tied to misrepresentations of security and inadequate operational safeguards. If finalized, the order would signal heightened regulatory scrutiny of custodial and bridge operators in the decentralized finance ecosystem and set compliance expectations for security governance and transparency.