Arrest of Nomad Bridge Hack Suspect

Gurevich, a dual Russian-Israeli citizen, has been arrested in Israel for his alleged involvement in the $190 million Nomad Bridge hack that occurred in August 2022.

Alexander Gurevich, a dual US-Israeli citizen, has been detained in Israel and now faces extradition to the United States, where he is being sued by the liquidators of bankrupt crypto firm Celsius Network for allegedly collecting a portion of a $190 million bounty from the 2022 Nomad Bridge hack.

The arrest of Gurevich, who is also a Russian citizen, comes as part of an ongoing investigation into the August 2022 hack of the Nomad cryptocurrency bridge, which saw nearly $190 million stolen from the protocol.

According to reports, Gurevich was planning to flee to Russia but was apprehended at Ben Gurion Airport while attempting to travel on a new identity after legally changing his name to "Alexander Block" just days prior.

"He fits the profile of a crypto-native threat actor: skilled in smart contract exploitation but ultimately undone by poor opsec," said Peter Kacherginsky, a blockchain security expert and formerly of Coinbase’s Unit 0x security team, on X in reaction to Gurevich’s arrest.

The 2022 Nomad Bridge exploit, which saw the misconfiguration of a bridge's process() function cause the contract to accept any message with the correct root hash—even if the proof was illegitimate—has been touted as one of the most remarkable and chaotic hacks in decentralized finance (DeFi) history.

On August 1, 2022, after a routine code update introduced a critical vulnerability in a Nomad smart contract—a verification bug—messages with invalid proofs began to be accepted as valid.

This misconfiguration in the bridge's process() function caused the contract to accept any message with the correct root hash, regardless of whether the proof was legitimate.

Once one user figured out the exploit—believed to be Gurevich—it was rapidly copied and pasted by hundreds of wallets in a type of "mob attack," turning a targeted hack into an opportunistic frenzy.

The identity of the first user to attempt to siphon funds from the protocol is still up for debate, but according to reports by The Block and Point of Law, US prosecutors are putting forth the case that Gurevich was the first to manage to steal from Nomad and that he later had a hand in laundering the funds.

The accusations are based on a series of Telegram messages Gurevich sent to the Nomad team, in which he requested a US$500,000 bounty for identifying the vulnerabilities in Nomad’s smart contracts that allowed them to be exploited.

The funds were laundered through a complex web of privacy coins, mixers, and offshore financial entities, according to publicly available court filings and law enforcement statements.

Of the total US$190 million exploited from Nomad, Gurevich is said to have managed to siphon US$2.89 million. The rest of the US$190 million is believed to have been lost to the copycats who joined in a free-for-all to steal as much money as they could.

According to TRM Labs, Gurevich used a 'classic mixer stack', moving assets through Tornado Cash on Ethereum, then converting ETH to privacy coins such as Monero (XMR) and Dash (DASH), which were routed through Defi tools—non-custodial exchanges and decentralized liquidity pools— to cash out via over-the-counter (OTC) and offshore bank accounts. The offshore bank accounts were often linked to shell companies registered in jurisdictions with ‘loose’ regulations.

It is also suggested that Gurevich leveraged Virtual Asset Service Providers (VASPs) platforms with weak Know Your Customer (KYC) standards to convert crypto into fiat. He also allegedly used peer-to-peer (P2P) platforms in jurisdictions with limited enforcement capacity.

The successful arrest and extradition of a key figure in the Nomad Bridge exploit could have broader implications for DeFi security and legal precedents in the cryptocurrency industry. It also highlights the increasing role of blockchain intelligence and global cooperation in tracking down and apprehending cross-border crypto criminals.