The Federal Trade Commission (FTC) announced a proposed consent order with Illusory Systems Inc. (Illusory), a Utah-based blockchain infrastructure company that operates the Nomad Token Bridge. The settlement resolves the FTC’s allegations that Illusory failed to live up to its stated data security commitments, leading to a 2022 cyberattack in which hackers stole approximately $186 million in crypto assets from platform users. Under the proposed order, Illusory must return to consumers any recovered funds and implement enhanced information security measures.

According to the FTC, in June 2022 the company deployed inadequately tested code containing a significant vulnerability, which allowed users to transfer messages and cryptocurrency. In August 2022, hackers allegedly exploited the flaw in the code to drain the bridge of assets, resulting in an estimated $186 million loss with approximately $100 million still unrecovered.

In its complaint, the FTC alleged that Illusory engaged in deceptive and unfair practices in violation of Section 5 of the FTC Act by representing that it prioritized “security-first” and that it took advantage of “every tool that protects users,” while allegedly failing to implement basic security measures. Specifically, the FTC contended that Illusory did not employ secure coding practices, lacked sufficient processes for receiving and remediating vulnerability reports, and did not maintain adequate incident response capabilities or staffing. The FTC’s two sitting Republican commissioners voted unanimously to approve issuance of the proposed complaint and order, which is now subject to a 30-day public comment period.

Under the proposed consent order, Illusory must implement a comprehensive information security program designed to protect against theft and other unauthorized access and address the specific security concerns identified in the FTC’s complaint. The company is also required to undergo independent, biennial assessments of its information security program and to cooperate with the third-party assessor.

This action reflects the FTC’s longstanding focus on cybersecurity practices, particularly where companies market their cybersecurity as an attribute to develop business and sell products and services. This settlement also highlights the increasing sophistication of regulators when it comes to identifying perceived deficiencies and risks in rapidly evolving technologies, such as blockchain. Firms offering digital asset or infrastructure services should closely evaluate their software development lifecycles, vulnerability management, staffing, and incident response capabilities, as well as the accuracy of their security-related disclosures. Regular review and testing of security practices can help mitigate regulatory and litigation risk as enforcement in this space continues to evolve.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Clayton Friedman Clayton Friedman

Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and…

Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation.

Read more about Clayton Friedman
Show more Show less
Photo of Trey Smith Trey Smith

Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation. He has experience litigating the Consumer Financial Protection Act, the FTC Act…

Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation. He has experience litigating the Consumer Financial Protection Act, the FTC Act, the Truth in Lending Act, state UDAAP statutes, and other consumer protection laws.

Read more about Trey Smith
Show more Show less
Photo of Daniel Waltz Daniel Waltz

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.

Read more about Daniel Waltz
Show more Show less
Related Posts
 South Dakota AG Proposes Legislation to Authorize Seizure of Digital Currency
January 16, 2026
 CFTC Approval Allows Polymarket to Reenter the U.S. Market
December 4, 2025
 State AGs Urge SEC to Preserve State Authority in Crypto Regulation
November 11, 2025