Key Takeaways
- The Federal Trade Commission (FTC) has proposed a settlement agreement with Illusory Systems, also known as Nomad, to repay users who lost funds in a 2022 cyberattack.
- The cyberattack resulted in the theft of $186 million worth of funds, with approximately $100 million remaining unrecovered.
- Nomad allegedly misled users about the security of its cryptocurrency bridge, which was compromised due to "inadequately tested code" and a "significant vulnerability".
- The proposed settlement agreement requires Nomad to repay around $37.5 million to affected users, implement a comprehensive security program, and assign an employee to maintain the program.
- Nomad will also be barred from making further misrepresentations about the security of its products and will be subject to regular, third-party assessments.
Introduction to the Cyberattack
The Federal Trade Commission (FTC) has proposed a settlement agreement with Illusory Systems, which trades as Nomad, to repay users who lost funds in a 2022 cyberattack. The cyberattack, which occurred in 2022, resulted in the theft of $186 million worth of funds, with approximately $100 million remaining unrecovered. The FTC alleged that Nomad pushed an update in June 2022 containing "inadequately tested code" that introduced a "significant vulnerability" that was exploited around a month later. This vulnerability was the primary cause of the cyberattack, and the FTC claims that Nomad’s failure to adopt secure coding practices and implement a vulnerability management program contributed to the total loss of funds.
Allegations of Misrepresentation
The FTC alleged that Nomad misled users about the security of its cryptocurrency bridge, which was compromised in the 2022 cyberattack. Despite pitching its blockchain bridge as a "security-first" product, the organization behind it fell short in various aspects of cybersecurity. The FTC claims that Nomad failed to adopt secure coding practices, implement a vulnerability management program, and deploy technologies that would have limited the impact of a breach on its users. These failures and lack of incident response capabilities contributed to the total loss of funds, and the FTC is seeking to hold Nomad accountable for its actions.
Proposed Settlement Agreement
The proposed settlement agreement, published this week, would require Nomad to repay around $37.5 million to users who remain out of pocket within a year of the agreement being signed, or 30 days after the end of any litigation related to the breach, whichever comes later. Nomad would also be required to implement a comprehensive security program, assign an employee to maintain that program, and agree to regular, third-party assessments. The company would also be barred from making any further misrepresentations about the security of its products. The FTC’s goal is to ensure that Nomad takes reasonable security measures to protect its users and lives up to its security promises.
Response from Nomad and the FTC
Nomad has agreed to the terms of the proposed settlement, which will be finalized following a public comment period and a second, final FTC vote. The company has a highly limited digital presence at present, with public communications having been nonexistent since 2023, and its website displaying no information about how to contact it. The Register reached out to Nomad’s lawyer for more information, but did not hear back by publication time. Christopher Mufarrige, director at the FTC’s Bureau of Consumer Protection, stated that "The FTC Act requires companies to take reasonable security measures" and that "It’s important that companies live up to their security promises to consumers." This statement highlights the importance of companies prioritizing cybersecurity and being transparent about their security practices.
Conclusion and Implications
The proposed settlement agreement between the FTC and Nomad serves as a reminder of the importance of cybersecurity and the need for companies to prioritize the security of their users. The cyberattack that occurred in 2022 resulted in significant financial losses for Nomad’s users, and the FTC’s actions aim to hold the company accountable for its alleged misrepresentations and security failures. The settlement agreement requires Nomad to take concrete steps to improve its security practices and repay affected users, and it serves as a warning to other companies to prioritize cybersecurity and transparency. As the use of cryptocurrency and blockchain technology continues to grow, it is essential that companies prioritize security and be transparent about their practices to maintain user trust and prevent similar incidents from occurring in the future.