The Most Chaotic Heist in Crypto History: Draining $190M with Copy-Paste

The wildest exploit in DeFi history didn’t require complex algorithms or genius coding. Instead, anyone with an internet connection could grab a piece of a $190 million fortune just by copying a single transaction on Etherscan.
Back in August 2022, an individual named Alexander Gurevich managed to flip $2,300 into a staggering $2.3 million using just one Ethereum transfer. Over 300 random onlookers noticed what he did on the blockchain and simply copy-pasted his exact move.
Before developers could hit the emergency brakes, the entire $190 million was gone. Ultimately, only $36 million was ever recovered, sparking a massive three-year FBI manhunt for the mastermind.
The victim of this exploit was Nomad, a popular cross-chain bridge. The protocol worked like most bridges: users deposited tokens like Ethereum to use on networks such as Avalanche or Moonbeam. The original assets were locked in an Ethereum smart contract, while Nomad minted wrapped versions of the tokens on the destination chain. To get your original crypto back, you would burn the wrapped tokens, prompting the smart contract to release your locked assets.
Across five different blockchains, this contract held a massive $190 million in user deposits. Its security relied entirely on one specific mechanism: verifying the authenticity of the burn messages. Every withdrawal request was checked against a value known as the "trusted root," and only requests that matched were cleared.
The fatal flaw occurred on June 21, 2022, during a seemingly routine code upgrade. Developers initialized the trusted root value to zero—a common software practice, but a devastating mistake in this context. Because zero was now registered as a valid root, the system automatically validated entirely fake withdrawal requests.
Suddenly, any wallet could ask for any amount of crypto, and Nomad would happily hand it over without ever checking if the user had deposited funds in the first place. For six full weeks, $190 million sat behind this broken lock, completely unnoticed.
Then came August 1, 2022. Gurevich stumbled upon the vulnerability, sent a measly 0.01 wrapped Bitcoin to the bridge, and walked away with 100 wrapped Bitcoin (valued at $2.3 million). A mind-blowing 10,000x return generated by a single click.
Because blockchains are entirely transparent, his transaction was immediately visible on Etherscan. News of the "free money" spread like wildfire across Crypto Twitter and Discord. Opportunists literally copied his transaction data directly from the block explorer, swapped in their own wallet addresses, and hit submit.
That was the entirety of the hack. No complex smart contracts, no flash loans, no exploit scripts—just editing a destination address and watching Nomad approve the transfer.
Security researcher samczsun famously dubbed the event a "frenzied free-for-all." Over the next four hours, more than 300 different wallets participated in the looting. Just 41 of those addresses snagged roughly 80% of the stash, walking away with $152 million. While a few participants were white-hat hackers trying to rescue funds to return them later, the vast majority kept the loot.
Nomad eventually paused the contract, but it was too late; the vault had been swept clean. Cybersecurity firm Mandiant later coined the term "Decentralized Robbery" in their official threat report, noting how unprecedented it was for hundreds of unconnected strangers to collaboratively drain a protocol.
But the story didn't end there.
Fast forward three years to May 2025: Israeli authorities apprehended Gurevich at Ben Gurion Airport as he attempted to flee to Russia using a fake passport. He had legally changed his name to "Alexander Block" just two days prior.
The FBI had been trailing him since 2023, tipped off by a Telegram message he foolishly sent directly to Nomad's CTO. In that message, Gurevich admitted to the exploit, apologized, and demanded a $500,000 white-hat bounty. When Nomad countered with an offer of just 10%, he ghosted them. Today, he faces up to 20 years in a US federal prison on eight charges, including money laundering, wire fraud, and the transportation of stolen property.
Meanwhile, the other 299 wallets that participated in the great drain remain permanently tagged on Etherscan to this day.