Illusory Systems settles with FTC over 2022 cryptocurrency hack

The Federal Trade Commission is ordering a company that publicly touted its cybersecurity capabilities to return recovered funds to victims and implement security reforms, after a software flaw let hackers steal hundreds of millions of dollars in cryptocurrencies from users.

The FTC announced it had reached a settlement with Illusory Systems, which also does business as Nomad, following an investigation into a 2022 incident where hackers exploited a vulnerability in the company’s Token Bridge cryptocurrency smart contract solution. The program provides protocols that connect different blockchains and allow users to transfer assets between them.

As part of the deal, the company must implement a comprehensive cybersecurity plan, including addressing security flaws identified in the FTC’s complaint and programs for protecting consumers from theft and fraud. It must also submit the plan and cooperate with independent third-party assessors on any improvements and return stolen money clawed back by law enforcement.

“The FTC Act requires companies to take reasonable security measures,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, in a statement. “It’s important that companies live up to their security promises to consumers.”

According to an FTC complaint, in June 2022, Illusory Systems introduced “new, inadequately tested code” for Token Bridge, its set of cryptocurrency smart contracts, following a security audit.

Just one month later, malicious hackers used the flaw to steal $186 million from users in cryptocurrency funds. White hat hackers were able to use the same exploit to safeguard at least $37 million of the stolen funds before hackers could drain them, and the agreement directs Illusory Systems to return that money to users. 

The FTC focused on how Illusory Systems presented its Token Bridge network to customers, charging the company with materially misrepresenting its commitment to security to users.

At different points the company advertised the smart contract solution as “high security,” a “security first” solution that “prioritizes the safety and security of the funds/cross chain messages” and something that would “keep the entire system (and your funds/messages) safe.”

Another message simply stated: “We’re secure…period.”

But the FTC’s investigation found that Illusory Systems had failed to put in place reasonable and appropriate security practices..

Despite knowing that cross-chain bridges like Token Bridge were targeted by hackers and could result in “catastrophic loss” if compromised, developers failed to implement “well known secure coding practices, such as writing and conducting adequate unit tests prior to pushing code to production.”

In fact, company software engineers and a post-incident analysis revealed that most testing of Token Bridge focused on making sure it functioned properly, rather than verifying that it was secure.

According to the commission, Illusory Systems lacked adequate security staff,  clear vulnerability reporting and response processes, a written security plan, and “widely accepted industry norms” such as circuit breakers or a “kill switch” that could halt suspicious financial transactions.

Compounding matters, the company lacked automated fraud monitoring, so it learned about the breach from a user on social media instead of detecting it internally.

Staff scrambled to respond to the hack, even relying on an engineer on a flight to relay code snippets via an online chat. The delays meant security staff were “unable to shut down the bridge until after it had been emptied of assets.”

Months before the hack, an engineer warned the CEO about weak code testing and quality assurance noting that the company had previously shipped code with a significant vulnerability because it wasn’t properly tested.

The investigation also revealed that despite promising to keep customers’ funds secure, the company previously overrode internal efforts to reimburse users who lost money when a bug in the web-based Token Bridge interface caused losses. 

In one instance the chief operating officer reportedly said “there are no guarantees of safety” and the CEO noted that Illusory Systems was “putting out a free-to-use interface to a protocol that may have bugs/issues.”