FTC building (John Taylor/Flickr)
The Federal Trade Commission (FTC) has mandated that a company, which previously promoted its robust cybersecurity, must return recovered funds to victims and implement significant security enhancements. This directive follows a software vulnerability that enabled hackers to steal hundreds of millions of dollars in cryptocurrencies from users.
The FTC announced a settlement with Illusory Systems, also known as Nomad, after an inquiry into a 2022 incident. During this event, hackers exploited a weakness in the company’s Token Bridge, a cryptocurrency smart contract solution. This technology facilitates the transfer of assets between different blockchain networks.
Under the terms of the agreement, Illusory Systems is required to establish a comprehensive cybersecurity program. This includes addressing specific security flaws highlighted in the FTC’s complaint, along with developing strategies to safeguard consumers from theft and fraud. The company must also submit this plan, collaborate with independent third-party evaluators on improvements, and return any stolen funds recovered by law enforcement.
Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, stated, “The FTC Act requires companies to take reasonable security measures. It’s important that companies live up to their security promises to consumers.”
An FTC complaint indicates that in June 2022, Illusory Systems deployed “new, inadequately tested code” for its Token Bridge cryptocurrency smart contracts, despite a prior security audit.
Just one month later, malicious actors exploited this flaw, stealing $186 million in cryptocurrency from users. Ethical hackers managed to utilize the same exploit to secure at least $37 million of the compromised funds before they could be fully drained. The settlement mandates Illusory Systems to return these safeguarded funds to users.
The FTC’s investigation focused on how Illusory Systems marketed its Token Bridge network to customers. The company was accused of misrepresenting its commitment to user security.
The company had, at various times, advertised the smart contract solution as “high security,” a “security first” solution that “prioritizes the safety and security of the funds/cross chain messages,” and something designed to “keep the entire system (and your funds/messages) safe.”
One particular message simply declared: “We’re secure…period.”
However, the FTC’s investigation concluded that Illusory Systems had failed to implement reasonable and appropriate security protocols.
Despite awareness that cross-chain bridges like Token Bridge were frequent targets for hackers and could lead to “catastrophic loss” if compromised, developers neglected to implement “well known secure coding practices, such as writing and conducting adequate unit tests prior to pushing code to production.”
Internal analyses by company software engineers and a post-incident review revealed that most testing for Token Bridge focused on functionality rather than verifying its security.
According to the commission, Illusory Systems lacked sufficient security personnel, clear processes for vulnerability reporting and response, a formal written security plan, and “widely accepted industry norms” such as circuit breakers or a “kill switch” to halt suspicious financial transactions.
Furthermore, the company did not have automated fraud monitoring in place, leading it to discover the breach via a user on social media rather than through internal detection systems.
Staff members struggled to respond to the hack, even resorting to an engineer on a flight relaying code snippets through an online chat. These delays meant security personnel were “unable to shut down the bridge until after it had been emptied of assets.”
Months prior to the incident, an engineer had warned the CEO about inadequate code testing and quality assurance, noting that the company had previously released code with a significant vulnerability due to insufficient testing.
The investigation also uncovered that, despite assurances to keep customer funds secure, the company had previously overruled internal efforts to compensate users who lost money due to a bug in the web-based Token Bridge interface.
In one instance, the chief operating officer reportedly stated, “there are no guarantees of safety,” while the CEO remarked that Illusory Systems was “putting out a free-to-use interface to a protocol that may have bugs/issues.”
