Nomad

2021-11-10

Illusory Systems, Inc. incorporated in Delaware by Pranay Mohan, James Prestwich, and Austin Liau.

2022-05-01

Quantstamp begins security audit of Nomad's smart contract system.

2022-06-09

Quantstamp delivers final audit report identifying 40 issues, including input validation edge cases. Audit team notes the Nomad team misunderstood at least one flagged issue.

2022-06-21

Nomad deploys a routine upgrade to its Replica smart contract that initializes the trusted Merkle root to 0x00, introducing the critical vulnerability. The deployed code differs from the audited version.

2022-08-01

An initial attacker discovers the zero-root initialization bug and begins draining funds from the Nomad bridge by calling the process() function with a zero root and modified recipient addresses.

2022-08-02

Over 300 wallet addresses join the exploit after the initial attacker's transaction calldata becomes visible on-chain. Approximately $190 million in user funds are drained in a chaotic free-for-all. CNN Business, TechCrunch, and CoinDesk report the event contemporaneously.

2022-08-05

Nomad announces a 10 percent bounty program, offering legal immunity and fund retention for any attacker returning at least 90 percent of drained assets.

2022-08-11

Coinbase publishes incident analysis estimating 88 percent of participating addresses were copycats; copycats collectively stole approximately $88 million.

2022-08-20

Over $36 million returned to Nomad's recovery address by more than 40 participating wallets — approximately 19 percent of total stolen funds.

2022-12-01

Nomad relaunches bridge to allow users to withdraw remaining bridged assets. The relaunch attracts negligible user activity and TVL.

2023-01-01

Class action lawsuit Singh v. Illusory Systems, Inc. et al. (1:23-cv-00183, D. Del.) filed by affected users asserting RICO and negligence claims.

2023-08-16

Federal grand jury in the Northern District of California issues an eight-count indictment against Alexander Gurevich for his alleged role in the exploit, including wire fraud, conspiracy, and money laundering.

2024-04-08

Federal district court dismisses RICO claims and most negligence claims in Singh v. Illusory Systems; fraud claim allowed to proceed.

2024-12-01

United States formally requests extradition of Alexander Gurevich from Israel.

2025-04-19

Gurevich re-enters Israel during the Passover holiday. Israeli authorities order him to appear for an extradition hearing, which he ignores.

2025-04-30

Gurevich legally changes his name to 'Alexander Block' in the Israeli Population Registry in an alleged attempt to conceal his identity.

2025-05-01

Israeli police arrest Alexander Gurevich at Ben-Gurion Airport while he is attempting to board a flight to Russia. Israeli authorities approve extradition to the United States.

2025-12-17

FTC announces proposed consent order requiring Illusory Systems to repay approximately $37.5 million to affected users and implement a 10-year information security program. Federal Register notice published December 19, 2025.