While Nomad’s CEO was publicly declaring “We’re secure… period,” his own engineers were privately warning that skipping code tests and rushing deployments would eventually get everyone “rugged without noticing an error” — and they were right.

What Nomad Actually Was — And What It Promised You

Nomad operated what’s called a cross-chain bridge: a piece of software infrastructure that lets users move digital assets between different blockchain networks. Starting in January 2022, Nomad deployed its own bridge product, the Nomad Token Bridge, built on its proprietary messaging protocol. Users deposited assets into the bridge, which locked them on one chain and minted equivalent “wrapped” tokens on the destination chain.

The pitch was simple and aggressive: Nomad was the safe one. In a market scarred by $1.5 billion in bridge hacks in the prior twelve months alone, Nomad positioned itself as the antidote. Its marketing called it a “security-first” protocol. Its documentation declared “security is paramount.” Its CEO posted to social media that the platform was, simply, “secure… period.”

Third-party analysis confirmed that the marketing worked. Users trusted Nomad with more assets per user than competing bridges. One external report noted that “Nomad’s security appeals are marketable and perceived valuable.” People believed the pitch. They moved their money in. Then Nomad lost it.

They Knew. They Shipped Anyway.

The FTC complaint is damning precisely because of what it documents internally at Nomad. This was not a sophisticated, unforeseeable attack. The vulnerability was introduced by a June 21, 2022 code update that was pushed into production without adequate testing. The update changed how a smart contract authenticated messages, and because of an interaction with a pre-existing entry in the contract’s initialization table, the contract stopped verifying whether messages were actually legitimate.

The result: any user could extract assets from the bridge simply by replaying existing transaction templates. Once one hacker found the method, hundreds of nearly identical transactions flooded in. Within hours, $186 million (enough to provide four years of full-ride college scholarships to over 2,400 students) was gone. Nomad had no automated detection system. No circuit breaker. No kill switch. Engineers first learned about it from a screenshot posted on social media — and initially debated whether the screenshot was fake.

While engineers scrambled, the person responsible for writing the patch was on a plane, relaying code snippets through a chat application to the incident manager on the ground. Nomad could not stop the attack. It could only watch the bridge empty out in real time.

The Warning They Filed and Ignored

Months before the August 2022 exploit, a Nomad engineer raised formal concerns directly with the CEO. The engineer documented that a prior, separate vulnerability had already made it into production because of the same root cause: the company’s culture of rushing code without testing it. The engineer called for quality assurance processes and a “culture of testing.” The CEO received that warning. The COO knew about it. The company continued as before.

The same engineer who warned about testing also flagged that 36 “watcher” wallets — a central pillar of Nomad’s advertised security model — were running low on funds and needed manual top-ups that should have been automated. In a company that marketed itself as “security-first,” critical security infrastructure was being maintained by hand. The engineer wrote that the situation was “a bit disappointing to see… as we’re supposed to be a security first company.” He warned that “continually punting is how we eventually end up getting rugged without noticing an error.” They got rugged.

Nomad also had explicit internal acknowledgement that circuit breakers were essential. A Nomad marketing page itself noted “the absurdity of letting $100M exit in one transaction without any circuit breakers.” A senior engineer proposed building a set of circuit breakers and a “cultural mindset that everyone can and should pull them in the event of suspicious activity.” Nomad did not build them. When $186 million began flowing out, there was nothing to pull.

The Non-Financial Ledger: What the Settlement Number Doesn’t Capture

The number “$100 million” appears in this case as a single line in a legal complaint. It sanitizes something that was lived, not calculated. These were not institutional trading desks or hedge funds absorbing a quarterly write-down. These were individual users, people who had read Nomad’s marketing, watched its CEO post “We’re secure… period” from a verified social media account, and made a decision to trust a platform that used the language of safety as its primary sales mechanism. When the bridge emptied in hours, they had no recourse, no insurance, and no one with a legal obligation to make them whole.

The FTC complaint surfaces one user’s experience in particular detail: a person who lost funds through a bug in the bridge’s web interface — a separate incident from the August hack, revealing that the platform’s security failures were not isolated to one event. When an employee recommended reimbursing this user, Nomad’s executives overrode the suggestion. The stated reason was that reimbursement “would cause more people to make claims.” The CEO privately recharacterized the platform as a “free to use interface to a protocol that may have bugs / issues.” The COO agreed to deny the claim because “there are no guarantees of safety.” Meanwhile, in public, the company was declaring security paramount.

There is a specific kind of betrayal in what Nomad did to that user, and by extension to every person who deposited assets into the bridge. The company knew its public claims outpaced its actual practices. Engineers had documented it. Leadership had been briefed on it. The decision to keep marketing the platform as “security-first” while internally acknowledging unresolved vulnerabilities, undertested code, and missing safety infrastructure was made deliberately, at the executive level. The users never got to see those internal conversations. They only saw the tweets.

The August 2022 exploit stripped the bridge of $186 million (equivalent to every teacher’s annual salary in a mid-sized school district of 3,700 educators) in a matter of hours — hours during which Nomad’s only response was an engineer on a plane typing code snippets into a group chat. The people whose assets were locked in that bridge had no kill switch either. They had no emergency button, no fraud protection, no FDIC equivalent. They were trusting a company that had told them, in the most absolute terms available, that they were safe. That trust was manufactured. It was manufactured knowingly.

Legal Receipts: In Their Own Words

“We’re secure… period.”

— Nomad CEO, quoted on Nomad’s official social media account (@nomadxyz_). This quote appeared in an exhibit attached to the FTC complaint. The ellipses and quotation marks are in the original post.

“Nomad is a security-first cross-chain messaging protocol.”

— Nomad’s official website (www.nomad.xyz), cited as Exhibit B in the FTC complaint. Published while the company had no written information security plan, no automated transaction monitoring, and no circuit breakers deployed.

“Security is paramount for Nomad. … This means considering financial controls and other common security measures taken in traditional finance.”

— Nomad’s official documentation (docs.nomad.xyz), cited as Exhibit E in the FTC complaint. At the time this was published, Nomad had failed to implement basic financial controls including circuit breakers, kill switches, or automated anomaly detection.

The CEO asserted that Nomad was “putting out a free to use interface to a protocol that may have bugs / issues,” and the COO agreed with not reimbursing the user because “there are no guarantees of safety.”

— FTC Complaint, Paragraph 18. These statements were made internally after a user lost funds through a Nomad interface bug, at a time when Nomad’s public marketing was simultaneously declaring that “security is paramount.”

“Continually punting is how we eventually end up getting rugged without noticing an error.”

— A Nomad engineer, as documented in the FTC complaint (Paragraph 19). The engineer made this warning to management after discovering that 36 critical “watcher” wallets were running low on funds and required manual maintenance — a process the engineer noted should have been automated months prior.

A post-exploit analysis determined that the tests mostly covered “happy-path” scenarios, meaning that Nomad only tested whether a smart contract would process messages as valid when sent valid inputs. Nomad did not test whether the smart contract would process certain messages as valid when sent invalid inputs, even though invalid inputs were reasonably foreseeable.

— FTC Complaint, Paragraph 11(A). The FTC notes this ran “contrary to widely-accepted coding practices.” Nomad’s own marketing had stressed the importance of thorough smart contract testing.

Societal Impact Mapping

Public Health: The Stress Economy of Financial Betrayal

Losing money to a sudden, irreversible hack is not an abstract inconvenience. Financial trauma triggers measurable physiological stress responses. The American Psychological Association consistently identifies financial loss as one of the leading drivers of acute anxiety and depression. When Nomad’s bridge emptied in hours, the people who lost funds had no cooling-off period, no bank to call, and no dispute process. The loss was final, instantaneous, and irreversible for the majority of victims.

The FTC complaint establishes that users were actively targeted by Nomad’s security marketing and chose the platform specifically because they believed it was safer than alternatives. Third-party analysis confirmed users trusted Nomad with more assets per user than competing bridges. That means the people who lost the most were the people who had believed the most. The psychological weight of discovering that the trust was manufactured by a company that internally acknowledged “there are no guarantees of safety” is a harm that does not appear in the $100 million figure.

The August 2022 attack was not a discrete incident. It revealed a pattern of bugs, including the separate user-facing interface bug that caused losses prior to the exploit and which Nomad refused to compensate. Users who experienced losses before August 2022 and reported them received denial backed by private executive reasoning that was never disclosed to them publicly. They were denied both their funds and an honest explanation.

Economic Inequality: A Platform That Extracted Trust From the People Who Could Least Afford to Lose It

Cross-chain bridges like Nomad exist in the retail crypto market, attracting everyday users and small-scale participants rather than institutional actors with diversified risk exposure and legal resources. The very appeal of crypto infrastructure — decentralized, accessible, open — means the people using it are disproportionately individuals moving amounts that are personally significant even if numerically modest against the total bridge liquidity.

Users lost more than $100 million (roughly equivalent to the annual household income of 2,200 median American families combined). Of the $186 million drained, only $37.5 million (about 20%) was recovered, returned by white-hat hackers who exploited the same vulnerability to secure assets before malicious actors could take everything. The remaining gap — more than $148.5 million (enough to pay off student loans for nearly 5,000 average borrowers) — was simply gone. Nomad had no insurance product, no restitution fund, and no legal obligation under existing crypto law to make users whole.

The FTC complaint notes explicitly that Nomad “could have prevented or mitigated its failures through readily available and relatively low-cost measures.” Circuit breakers, automated monitoring, incident response plans, written security policies, adequate testing — these are standard, affordable tools in software engineering. Nomad chose not to implement them while simultaneously raising money from investors and charging its community trust as social capital. The cost of doing it right was low. The company chose not to. The users absorbed the entire consequence of that choice.

The disparity is structural: Nomad’s leadership still drew salaries and retained equity through the collapse. The users who deposited funds into the bridge held no equity, no board seat, no insider knowledge of the security failures, and no voice in the decision to rush untested code into production. The financial pain concentrated entirely at the bottom of the information hierarchy — with the people who had been told, explicitly and repeatedly, that they were safe.

The “Cost of a Life” Metric

What Now? The People Still in the Room

The FTC has charged Nomad (Illusory Systems, Inc.) on two counts. The named corporate roles involved in documented decision-making include the CEO (who publicly declared “We’re secure… period” and privately called the platform a “free to use interface that may have bugs”) and the COO (who agreed to deny user reimbursement because “there are no guarantees of safety”). Their names are not confirmed in the source document. The entity is Illusory Systems, Inc., a Delaware corporation headquartered in Centerville, Utah.

• FTC (Federal Trade Commission): The agency that filed this complaint. Track this case’s resolution at FTC.gov. Demand that any consent order include mandatory restitution to affected users, not just behavioral requirements on the company.
• CFPB (Consumer Financial Protection Bureau): Push your representatives to expand CFPB jurisdiction explicitly to crypto platforms handling consumer funds. The legal gap that let Nomad operate without insurance, restitution requirements, or mandatory security standards is a policy failure, not an accident.
• SEC (Securities and Exchange Commission): Monitor whether Nomad’s bridge tokens or fundraising activities trigger securities law obligations. The $22M seed round Nomad raised while marketing security it hadn’t built deserves scrutiny.
• Your state Attorney General: State consumer protection offices can act independently of federal agencies. If you lost funds in the Nomad bridge hack, file a complaint. Volume of complaints matters in regulatory prioritization.
• Nomad’s investors: Nomad announced a $22M seed round from named investors (not confirmed in source). Venture capital firms that backed the “security-first” marketing should face public accountability for the governance failures documented in this complaint.

The structural fix here is not complicated: require any platform handling consumer financial assets to carry minimum security standards, mandatory incident response plans, and restitution obligations before they can market themselves to the public. Until that legislation exists, crypto users are operating in a space where a company can declare itself secure, collect your trust and your money, and face a regulatory complaint only after it’s already gone. Support organizations pushing for meaningful digital asset consumer protection legislation. Find your local mutual aid networks. Keep your most critical assets out of unaudited infrastructure. And when a company tells you it’s secure, period, ask to see the test coverage reports.