Skip to main content

NomadNomad suffered $186M breach after deploying inadequately tested code despite 'security-first' marketing claims

· $186.0M

In June 2022, Nomad introduced inadequately tested code that included a significant vulnerability. Just over a month later on August 1, 2022, hackers exploited the vulnerability, resulting in the theft of approximately $186 million in cryptocurrency (Ethereum, USDC, DAI, WBTC). The company was able to recover some funds, but consumers ultimately lost approximately $100 million. Despite prominently marketing itself as offering 'security-first' services, Nomad failed to use secure coding practices, implement vulnerability reporting processes, or deploy widely accepted security measures like circuit breakers or kill switches. The company had been warned about the dangers of inadequate testing and staffing but failed to implement basic safety measures. The FTC settlement in December 2025 required $37.5M restitution and a comprehensive security program.

Scoring Impact

TopicDirectionRelevanceContribution
Consumer Protection-againstprimary-1.00
Corporate Transparency-againstsecondary-0.50
Data Security-againstprimary-1.00
Overall incident score =-0.425

Score = avg(topic contributions) × significance (high ×1.5) × confidence (0.68)× agency (negligent ×0.5)

Evidence (2 signals)

Confirms Legal Action Dec 16, 2025 verified

FTC settlement required Nomad to pay $37.5M restitution and implement security program after $186M breach

The FTC announced a proposed settlement with cryptocurrency company Illusory Systems Inc. d/b/a Nomad for failing to implement adequate security measures leading to a breach in which hackers stole $186 million from customers. The FTC alleged that Nomad prominently touted 'security-first' services but failed to use secure coding practices, implement processes for receiving vulnerability reports, or utilize widely known technologies to mitigate consumer losses. Settlement requires $37.5M restitution, comprehensive security program, and prohibits misrepresentations about security practices.

Federal Trade Commission(opens in new tab),The Register(opens in new tab),The Record(opens in new tab)
Confirms product_decision Aug 1, 2022 verified

Nomad deployed vulnerable code in June 2022 that hackers exploited for $186M theft in August

Nomad introduced inadequately tested code in June 2022 that included a significant vulnerability. On August 1, 2022, hackers began exploiting the vulnerability, stealing approximately $186 million in Ethereum, USDC, DAI, and WBTC. Despite being warned about inadequate testing and staffing, Nomad lacked adequate security staff, clear vulnerability reporting processes, a written security plan, and widely accepted security measures such as circuit breakers or kill switches. During the incident, Nomad had to rely on an engineer who was on a plane to relay code snippets via chat to the incident manager.

HIPAA Times(opens in new tab),CyberScoop(opens in new tab)

Related: Same Topics

Bhavish Aggarwal · Engaged in heated public feud with comedian over customer complaints, stock dropped 8%
Ola Electric · India's CCPA issued show cause notice after over 80,000 consumer complaints about EV quality
Zepto · Accused of charging iPhone users up to 5x more than Android users for identical products
Zepto · India's CCPA fined Zepto ₹7 lakh for using dark patterns including drip pricing and basket sneaking
Microsoft · Microsoft committed to expand right-to-repair options following shareholder pressure