Cryptocurrency service Nomad suffered a “chaotic” attack on Monday and into Tuesday morning, with hackers draining almost $200 million in digital funds from the company within a few hours.
In a tweet Tuesday morning, Nomad said it is “working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics.” It added that its goal is to identify the accounts that siphoned cryptocurrencies from its service and recover the money.
Nomad operates a so-called blockchain bridge, which allows people to move tokens from one blockchain to another, solving the challenge of interoperability between different types of cryptocurrencies. But these technologically complex services have been prone to attacks, with hackers exploiting security vulnerabilities to steal more than $1 billion in assets so far in 2022, according to forensics firm Elliptic.
One security researcher on Twitter described the Nomad attack as “chaotic” and a “free-for-all,” with people swarming to drain the accounts after realizing that a security flaw meant that if they could find a valid transaction request, they could replace the other person’s address with their own and effectively redirect assets to their own accounts.
Nomad blamed “impersonators posing as Nomad and providing fraudulent addresses to collect funds.”
The theft follows the hack of blockchain bridge Harmony in June, which lost about $100 million in the attack. These bridges are seen as especially vulnerable to hacks partly because of their relative newness and inevitable bugs and are therefore frequently targeted by cybercriminals. Recent hacks include the $320 million wormhole hack in February and the more than $600 million Ronin Network hack in March.
Bridges are also susceptible to theft because they hold a lot of cryptocurrencies, making them targets for hackers, and due to their lack of decentralization and oversight, according to Elliptic. Some bridges don’t require many signatures to approve a transaction, and some services have sacrificed security as they develop quickly, the group added.