In what is being cited as one of the largest crypto attacks in recent memory, bad actors drained an estimated $190 million in funds from the San Francisco-headquartered blockchain bridge site, which facilitates people exchanging their crypto-tokens from one site to another. The attack started Monday, and reportedly continued into Tuesday morning, Nomad confirmed in an Aug. 2 tweet, where the company said it “working around the clock to address the situation and [had] notified law enforcement and retained leading firms for blockchain intelligence and forensics.”
“Our goal is to identify the accounts involved and to trace and recover the funds,” the tweet added. Nomad also released a statement to CoinDesk.
The Nomad bridge attack was the third-biggest crypto heist of 2022 and the ninth-biggest of all time, according to Comparitech's worldwide cryptocurrency heist tracker. But that’s not all that makes this attack stand out, according to Rebecca Moody, head of data research at Comparitech.
“In a unique twist, the hack on Nomad appeared to be carried out by numerous copy-and-paste actors,” Moody said. Experts suggest that the “initial hacker found a fatal flaw in the platform's Replica contract, meaning that anyone — including those with zero coding knowledge — could locate a transaction that worked, use their address to replace the user's address, and re-broadcast it,” Moody added.
“There are suggestions that white hat hackers removed some of the funds to safeguard them,” Moody said, “but it remains to be seen just how much of the $190 million is recoverable.” Indeed, after the vast majority of Nomad’s funds were stolen, there was reportedly just $651.54 left, she said. Earlier on Tuesday, Nomad tweeted, “Thank you to our many white hat friends who acted proactively and are safeguarding funds. Please continue to hold them until we provide further instructions on this thread.”
The blockchain bridge firm posted on Twitter Monday evening that it was “aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds.”
Even well before this attack on Nomad, more than $1 billion in assets had been stolen from blockchain bridge sites as of late June 2022, according to forensics firm Elliptic. These attacks are often attributed to the nascent status of bridge sites and their related lack of security. Cases in point: In June, blockchain bridge Harmony reportedly lost about $100 million in an attack; Ronin Network suffered $600 million in losses in March; and Wormhole was taken for $320 million in February.
“Most attacks on crypto companies require specialized knowledge of how transactions are carried out and how to exploit that process,” said Paul Bischoff, privacy advocate with Comparitech, “but in this case anyone with knowledge of the vulnerability could pull off and exploit and steal coins.”
Unfortunately, Bischoff said there will likely be more such attacks to come. “Unlike fiat currency, crypto wallets are not insured and transactions cannot be reversed,” he said.
“So long as there’s a lot of novices moving around a bunch of money,” he added, “we'll continue to see attackers target crypto companies and their customers.”
Chris Cleveland, founder and CEO of PIXM, said the Nomad incident is a reminder of how far the security of cross-chain bridges and general cryptocurrency platforms have to go to catch up with cybersecurity standards of other financial infrastructure.
"We are seeing and monitoring crypto-related phishing and other cyberattacks every day, and they are getting more sophisticated and require users to exercise more caution than ever," said Cleveland.
Erich Kron, security awareness advocate at KnowBe4, said he expects attacks on cryptocurrency platforms to only increase.
"Seeing the significant amount of money lost in these attacks, often in the tens of millions of dollars, it's no wonder attackers are continuing to put a lot of resources into attempting to find and exploit vulnerabilities in all parts of the cryptocurrency industry," said Kron.