Israel arrests new suspect behind Nomad Bridge $190M crypto hack

An American-Israeli national named Alexander Gurevich has been arrested in Israel for his alleged involvement in exploiting the Nomad bridge smart-contract in August 2022 that allowed hackers to siphon $190 million.

Blockchain intelligence platform TRM Labs supplied key information to international law enforcement authorities, leading to the identification of Gorevich, who is believed to have played a central role in what is one of the largest hacks in DeFi history.

"The suspect, American-Israeli dual national Alexander Gurevich, was arrested in Jerusalem by Israeli police working in coordination with the DOJ, the FBI, and Interpol," explained TRM Labs.

According to the blockchain intelligence firm, Gurevich will soon be extradited to the United States as the legal procedures have already been approved.

Gurevich's links to Nomad Bridge hack

The Nomad bridge is a cross-chain communication standard that allows users to transfer assets between different blockchains.

On August 1, 2022, attackers exploited a critical vulnerability introduced in an update to its Replica smart contract, specifically in the 'process() function.'

Though the contract was supposed to verify message proofs before releasing funds, a misconfiguration allowed any message with a correct root hash to be accepted, even if the underlying proof was invalid.

Once a single attacker figured out the flaw, the exploit method was quickly picked up by hundreds of other wallets, as it consisted in simply copy-pasting a specific transaction format.

This "mob-style" attack led to a chaotic and decentralized looting of the bridge, draining over $190 million in ETH, USDC, WBTC, and ERC-20 tokens.

TRM Labs comments that the vulnerability was very easy to leverage, so even people with no hacking skills or deep blockchain knowledge joined in the exploitation. However, experienced North Korean actors were also implicated.

Alexander Gurevich is not believed to have written or initiated the exploit code itself, but TRM Labs says he "played a central role," and evidence suggests he conspired with others to launder large amounts of funds stolen during the exploit.

Wallets linked to Gurevich received stolen assets within hours of the bridge being drained, suggesting close coordination with early attackers.

TMR Labs' data shows that Gurevich used 'chain-hopping' to move the stolen tokens across various blockchains, the Tornado Cash mixer to obfuscate the origin of the funds, and swapped ETH into the privacy-boosting Monero (XMR) and Dash.

To cash out the proceeds, he used non-custodial exchanges, OTC brokers, and offshore bank accounts tied to fake or opaque legal entities, and also converted some crypto to fiat through providers with no KYC standards.

Despite all the obfuscation efforts and the time that has passed since these events, blockchain transaction analysis still yielded enough clues to uncover Gurevich's identity, resulting in his arrest.

Gurevich's arrest follows that of another suspected hacker, a Russian-Israeli citizen named Alexander Gurevich, who was caught on May 1st at the Ben Gurion airport in Tel Aviv using documents under a new name, Alexander Block, he had officially changed.

According to prosecutors, Gurevich exploited the Nomad bridge flaw and withdrew about $2.89 million in digital tokens. This was followed by others finding the issue and leveraging it to siphon assets.

Jerusalem Post reports that on August 4, 2022, Gurevich contacted Nomad's Chief Technology Officer and admitted he had been probing Nomad for weaknesses, apologizing for the trouble and later demanding a $500,000 reward for identifying the vulnerability.

Update 5/17 - Article updated to replace Osei Morrell with Alexander Gurevich, following a corresponding correction at the source report by TRM Labs.