Nomad

The FTC announced a proposed order to settle allegations that cryptocurrency company Nomad (Illusory Systems Inc.) failed to implement adequate security measures leading to a breach in which hackers stole $186 million from customers. The FTC alleged that Nomad prominently touted its security in advertising, claiming 'security-first' services, but failed to live up to these promises by failing to use secure coding practices, implement processes for receiving and addressing vulnerability reports, respond to security incidents, or utilize widely known technologies that might have helped mitigate consumer losses.

In June 2022, Nomad introduced inadequately tested code that included a significant vulnerability. Just over a month later on August 1, 2022, hackers exploited the vulnerability, resulting in the theft of approximately $186 million in cryptocurrency (Ethereum, USDC, DAI, WBTC). The company was able to recover some funds, but consumers ultimately lost approximately $100 million. Despite prominently marketing itself as offering 'security-first' services, Nomad failed to use secure coding practices, implement vulnerability reporting processes, or deploy widely accepted security measures like circuit breakers or kill switches. The company had been warned about the dangers of inadequate testing and staffing but failed to implement basic safety measures. The FTC settlement in December 2025 required $37.5M restitution and a comprehensive security program.