On December 17, 2025, the Federal Trade Commission (FTC) issued a press release announcing that it is taking action against Illusory Systems, Inc. “for failing to implement adequate data security measures, leading to a major security breach in which hackers stole $186 million from consumers.”
In its complaint, the FTC alleged that Illusory, doing business as Nomad, “designed, operated, and advertised a service that allows users to transfer messages and assets, a type of platform commonly known as a ‘cross-chain bridge.’” A cross-chain bridge is also known as a crypto or blockchain bridge. A crypto bridge enables the transfer of digital assets between two different blockchain networks. It allows crypto owners to transfer tokens from one cryptocurrency network to another. Trusted bridges are operated by a centralized authority, and trustless bridges are decentralized and use smart contracts and validators.
In this case, Nomad was a trustless bridge and relied on smart contracts. In June of 2022, Nomad introduced new code for a smart contract that included a security vulnerability. Threat actors exploited the vulnerability and “virtually all assets in the bridge—worth approximately $186 million—were transferred out. Nomad users lost more than $100 million.” The complaint alleges that Nomad was warned about inadequate testing of the code but deployed it, nonetheless.
The FTC alleges that Nomad’s failure to implement adequate security measures led to the breach. It alleges that Nomad marketed itself as a “security-first” platform but failed to:
- Use secure coding practices.
- Implement vulnerability reporting and incident response processes.
- Adopt widely known security technologies that could have mitigated losses.
The FTC further alleges that after the vulnerability was exploited, Nomad lacked adequate incident response measures, delaying mitigation and amplifying consumer harm.
The proposed order:
- prohibits Nomad from making false or misleading statements about the security of its products or services;
- requires Nomad to establish and maintain a documented security program;
- requires Nomad to undergo biennial independent security audits; and
- requires Nomad to return any recovered funds and repay approximately $37.5 million to users who remain uncompensated
The proposed order is open for public comment for the next 30 days. If you are a Nomad user and have not been reimbursed for the cryptocurrency loss, you may be in luck if you are included in the proposed $37.5 million reimbursement requirement of the proposed order.