The U.S. Federal Trade Commission has proposed a settlement with Illusory Systems Inc., the operator of the Nomad crypto bridge, over a 2022 cyberattack that drained approximately $186 million in digital assets. According to the regulator, a poorly tested software update introduced a critical vulnerability in Nomad’s smart contracts, which was rapidly exploited by hackers and led to the near-total depletion of funds on the bridge.

The FTC alleged that Illusory marketed Nomad as a “security-first” platform while failing to follow basic secure coding standards and maintain effective vulnerability reporting and incident-response procedures. As a result, the company was unable to halt the exploit in time, leaving consumers with losses exceeding $100 million.

Under the proposed settlement, Illusory would be prohibited from misrepresenting its security practices, required to implement a formal information security program, undergo independent biennial security assessments, and return any recovered funds not yet repaid to affected users. The agreement has been placed on public record for a 30-day comment period before a final decision is made by the FTC.