Key Takeaways
- The Federal Trade Commission (FTC) has ordered Illusory Systems, also known as Nomad, to return recovered funds to victims and implement security reforms after a software flaw led to the theft of hundreds of millions of dollars in cryptocurrencies.
- The company must implement a comprehensive cybersecurity plan, address security flaws, and cooperate with independent third-party assessors to protect consumers from theft and fraud.
- The FTC found that Illusory Systems had misrepresented its commitment to security, failing to put in place reasonable and appropriate security practices, and lacking adequate security staff and clear vulnerability reporting and response processes.
- The company must return $37 million in stolen funds to users and submit to regular security audits to ensure compliance with the settlement.
Introduction to the Incident
The Federal Trade Commission (FTC) has announced a settlement with Illusory Systems, a company that provides cryptocurrency smart contract solutions, after a software flaw led to the theft of hundreds of millions of dollars in cryptocurrencies from users. The incident occurred in 2022, when hackers exploited a vulnerability in the company’s Token Bridge cryptocurrency smart contract solution, which provides protocols for connecting different blockchains and transferring assets between them. As part of the settlement, Illusory Systems must implement a comprehensive cybersecurity plan, including addressing security flaws identified in the FTC’s complaint, and cooperate with independent third-party assessors to protect consumers from theft and fraud.
Background on the Company and the Incident
Illusory Systems, also known as Nomad, had introduced new, inadequately tested code for its Token Bridge solution in June 2022, following a security audit. Just one month later, malicious hackers used the flaw to steal $186 million from users in cryptocurrency funds. White hat hackers were able to use the same exploit to safeguard at least $37 million of the stolen funds before hackers could drain them, and the agreement directs Illusory Systems to return that money to users. The FTC focused on how Illusory Systems presented its Token Bridge network to customers, charging the company with materially misrepresenting its commitment to security to users. The company had advertised its smart contract solution as "high security," a "security first" solution that "prioritizes the safety and security of the funds/cross chain messages," and something that would "keep the entire system (and your funds/messages) safe."
FTC Investigation and Findings
The FTC’s investigation found that Illusory Systems had failed to put in place reasonable and appropriate security practices, despite knowing that cross-chain bridges like Token Bridge were targeted by hackers and could result in "catastrophic loss" if compromised. The company’s developers failed to implement well-known secure coding practices, such as writing and conducting adequate unit tests prior to pushing code to production. In fact, most testing of Token Bridge focused on making sure it functioned properly, rather than verifying that it was secure. The company also lacked adequate security staff, clear vulnerability reporting and response processes, a written security plan, and widely accepted industry norms such as circuit breakers or a "kill switch" that could halt suspicious financial transactions.
Consequences of the Incident
The lack of adequate security measures had severe consequences for Illusory Systems and its users. The company learned about the breach from a user on social media instead of detecting it internally, due to the lack of automated fraud monitoring. Staff scrambled to respond to the hack, even relying on an engineer on a flight to relay code snippets via an online chat. The delays meant security staff were "unable to shut down the bridge until after it had been emptied of assets." The investigation also revealed that despite promising to keep customers’ funds secure, the company had previously overrode internal efforts to reimburse users who lost money when a bug in the web-based Token Bridge interface caused losses.
Settlement and Reforms
As part of the settlement, Illusory Systems must implement a comprehensive cybersecurity plan, including addressing security flaws identified in the FTC’s complaint, and cooperate with independent third-party assessors to protect consumers from theft and fraud. The company must also return the $37 million in stolen funds to users and submit to regular security audits to ensure compliance with the settlement. The FTC’s Director of the Bureau of Consumer Protection, Christopher Mufarrige, stated that "the FTC Act requires companies to take reasonable security measures" and that "it’s important that companies live up to their security promises to consumers." The settlement serves as a reminder to companies of the importance of prioritizing cybersecurity and fulfilling their security promises to customers.
Conclusion and Implications
The Illusory Systems incident highlights the importance of robust cybersecurity measures and the need for companies to fulfill their security promises to customers. The FTC’s settlement with Illusory Systems demonstrates the commission’s commitment to holding companies accountable for their security practices and protecting consumers from theft and fraud. As the use of cryptocurrencies and blockchain technology continues to grow, it is essential for companies to prioritize cybersecurity and implement reasonable and appropriate security measures to protect their users’ assets. The settlement also underscores the importance of transparency and accountability in the cryptocurrency industry, and the need for companies to be honest and forthcoming about their security practices and any potential vulnerabilities.
:max_bytes(150000):strip_icc()/STRANGER-THINGS-Finn-Wolfhard-Caleb-McLaughlin-Natalia-Dyer-Joe-Keery-Charlie-Heaton-Gaten-Matarazzo-071525-dde8f6ac3f164f1f996ff48da404cec4.jpg?w=768&resize=768,0&ssl=1 "Finn Wolfhard to Host SNL in 2026")
:max_bytes(150000):strip_icc()/STRANGER-THINGS-Finn-Wolfhard-Caleb-McLaughlin-Natalia-Dyer-Joe-Keery-Charlie-Heaton-Gaten-Matarazzo-071525-dde8f6ac3f164f1f996ff48da404cec4.jpg?w=300&resize=300,300&ssl=1 "Finn Wolfhard to Host SNL in 2026")
