Nomad suffered $186M breach after deploying inadequately tested code despite 'security-first' marketing claims
Aug 1, 2022In June 2022, Nomad introduced inadequately tested code that included a significant vulnerability. Just over a month later on August 1, 2022, hackers exploited the vulnerability, resulting in the theft of approximately $186 million in cryptocurrency (Ethereum, USDC, DAI, WBTC). The company was able to recover some funds, but consumers ultimately lost approximately $100 million. Despite prominently marketing itself as offering 'security-first' services, Nomad failed to use secure coding practices, implement vulnerability reporting processes, or deploy widely accepted security measures like circuit breakers or kill switches. The company had been warned about the dangers of inadequate testing and staffing but failed to implement basic safety measures. The FTC settlement in December 2025 required $37.5M restitution and a comprehensive security program.