Illusory Systems, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

<NOTICE> FEDERAL TRADE COMMISSION <DEPDOC>[File No. 232 3016]</DEPDOC> <SUBJECT>Illusory Systems, Inc.; Analysis of Proposed Consent Order To Aid Public Comment</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Trade Commission. <HD SOURCE="HED">ACTION:</HD> Proposed consent agreement; request for comment. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. </SUM> <DATES> <HD SOURCE="HED">DATES:</HD> Comments must be received on or before January 20, 2026. </DATES> <HD SOURCE="HED">ADDRESSES:</HD> Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the <E T="02">SUPPLEMENTARY INFORMATION</E> section below. Please write “Illusory Systems; File No. 232 3016” on your comment and file your comment online at <E T="03">https://www.regulations.gov</E> by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Ave. NW, Mail Stop H-144 (Annex B), Washington, DC 20580. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> M. Hasan Aijaz (214-979-9386), Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 400 7th St. SW, Washington, DC 20024. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at <E T="03">https://www.ftc.gov/news-events/commission-actions.</E> You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 20, 2026. Write “Illusory Systems; File No. 232 3016” on your comment. Your comment—including your name and your State—will be placed on the public record of this proceeding, including, to the extent practicable, on the <E T="03">https://www.regulations.gov</E> website. We encourage you to submit comments through the <E T="03">https://www.regulations.gov</E> website. Postal mail addressed to the Commission will be subject to delay because of heightened security screening. If you prefer to file your comment on paper, write “Illusory Systems; File No. 232 3016” on your comment and on the envelope, and send it via overnight service to: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex B), Washington, DC 20580. Because your comment will be placed on the publicly accessible website at <E T="03">https://www.regulations.gov,</E> you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other State identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. <E T="03">See</E> FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the <E T="03">https://www.regulations.gov</E> website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC website at <E T="03">https://www.ftc.gov</E> to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before January 20, 2026. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see <E T="03">https://www.ftc.gov/site-information/privacy-policy.</E> <HD SOURCE="HD1">Analysis of Proposed Consent Order To Aid Public Comment</HD> The Federal Trade Commission (“Commission”) has accepted, subject to final approval, an agreement containing a consent order from Illusory Systems, Inc., doing business as Nomad (“Respondent”). The proposed consent order (“proposed order”) has been placed on the public record for 30 days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement and the comments received, then decide whether it should withdraw from the agreement and take appropriate action or make final the agreement's proposed order. This matter involves Respondent's software development practices. Respondent operated an online service, a token bridge, through which consumers could transfer assets to peers. The proposed complaint alleges that Respondent claimed to keep users' assets secure, but in fact failed to implement reasonably secure software development practices. For example, the proposed complaint alleges that Respondent failed to: conduct adequate unit tests, implement a process for receiving and addressing third-party security vulnerability reports, have a Written Information Security Plan, and implement widely-known technologies that would mitigate critical loss of user funds. The proposed complaint alleges that as a result of Respondent's failures, in August 2022, hackers exploited a significant vulnerability in the token bridge and took virtually all of its assets—worth approximately $186 million. Even after Respondent recovered some assets and returned them to users, users of the bridge were left with losses that exceeded $100 million worth of assets. The proposed complaint alleges that Respondent violated section 5(a) of the FTC Act by: (1) failing to employ reasonable and appropriate software development practices; and (2) misrepresenting that it implemented secure software development practices. The proposed order contains provisions designed to prevent Respondent from engaging in the same or similar acts or practices in the future. Part I prohibits Respondent from misrepresenting (1) the extent to which Respondent implements reasonable and appropriate software development practices; and (2) the extent to which it secures consumers' financial assets. Part II requires Respondent to establish and implement, and thereafter maintain, a comprehensive information security program (“Security Program”) that protects the consumers' financial assets. Part III requires Respondent to obtain initial and biennial data security assessments for ten years. Part IV requires Respondent to disclose all material facts to the assessor and prohibits Respondent from misrepresenting any fact material to the assessment required by Part III. Part V requires Respondent to submit an annual certification from a senior corporate manager (or senior officer responsible for its Security Program) that Respondent has implemented the requirements of the Order and is not aware of any material noncompliance that has not been corrected or disclosed to the Commission. Part VI requires Respondent to return recovered assets to users and to submit a report at the conclusion of the program summarizing its compliance. Part VII requires Respondent to submit an acknowledgement of receipt of the order, including all officers or directors and employees having managerial responsibilities for conduct related to the subject matter of the order, and to obtain acknowledgements from each individual or entity to which Respondent has delivered a copy of the order. Part VIII requires Respondent to file compliance reports with the Commission and to notify the Commission of bankruptcy filings or changes in corporate structure that might affect compliance obligations. Part IX contains recordkeeping requirements for ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 11k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━