Illusory Systems, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

Issuing agencies

Abstract

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 242 (Friday, December 19, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 242 (Friday, December 19, 2025)]
[Notices]
[Pages 59521-59522]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-23407]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 232 3016]


Illusory Systems, Inc.; Analysis of Proposed Consent Order To Aid 
Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of Federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before January 20, 2026.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Illusory 
Systems; File No. 232 3016'' on your comment and file your comment 
online at <a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on 
the web-based form. If you prefer to file your comment on paper, please 
mail your comment to: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Ave. NW, Mail Stop H-144 (Annex B), 
Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: M. Hasan Aijaz (214-979-9386), 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 400 7th St. SW, 
Washington, DC 20024.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
<a href="https://www.ftc.gov/news-events/commission-actions">https://www.ftc.gov/news-events/commission-actions</a>.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 20, 
2026. Write ``Illusory Systems; File No. 232 3016'' on your comment. 
Your comment--including your name and your State--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
    We encourage you to submit comments through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website. Postal mail addressed to the Commission 
will be subject to delay because of heightened security screening. If 
you prefer to file your comment on paper, write ``Illusory Systems; 
File No. 232 3016'' on your comment and on the envelope, and send it 
via overnight service to: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex B), 
Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other State 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--

[[Page 59522]]

including competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website--as legally 
required by FTC Rule 4.9(b)--we cannot redact or remove your comment 
from that website, unless you submit a confidentiality request that 
meets the requirements for such treatment under FTC Rule 4.9(c), and 
the General Counsel grants that request.
    Visit the FTC website at <a href="https://www.ftc.gov">https://www.ftc.gov</a> to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before January 20, 2026. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from 
Illusory Systems, Inc., doing business as Nomad (``Respondent''). The 
proposed consent order (``proposed order'') has been placed on the 
public record for 30 days for receipt of comments from interested 
persons. Comments received during this period will become part of the 
public record. After 30 days, the Commission will again review the 
agreement and the comments received, then decide whether it should 
withdraw from the agreement and take appropriate action or make final 
the agreement's proposed order.
    This matter involves Respondent's software development practices. 
Respondent operated an online service, a token bridge, through which 
consumers could transfer assets to peers.
    The proposed complaint alleges that Respondent claimed to keep 
users' assets secure, but in fact failed to implement reasonably secure 
software development practices. For example, the proposed complaint 
alleges that Respondent failed to: conduct adequate unit tests, 
implement a process for receiving and addressing third-party security 
vulnerability reports, have a Written Information Security Plan, and 
implement widely-known technologies that would mitigate critical loss 
of user funds. The proposed complaint alleges that as a result of 
Respondent's failures, in August 2022, hackers exploited a significant 
vulnerability in the token bridge and took virtually all of its 
assets--worth approximately $186 million. Even after Respondent 
recovered some assets and returned them to users, users of the bridge 
were left with losses that exceeded $100 million worth of assets.
    The proposed complaint alleges that Respondent violated section 
5(a) of the FTC Act by: (1) failing to employ reasonable and 
appropriate software development practices; and (2) misrepresenting 
that it implemented secure software development practices. The proposed 
order contains provisions designed to prevent Respondent from engaging 
in the same or similar acts or practices in the future.
    Part I prohibits Respondent from misrepresenting (1) the extent to 
which Respondent implements reasonable and appropriate software 
development practices; and (2) the extent to which it secures 
consumers' financial assets.
    Part II requires Respondent to establish and implement, and 
thereafter maintain, a comprehensive information security program 
(``Security Program'') that protects the consumers' financial assets. 
Part III requires Respondent to obtain initial and biennial data 
security assessments for ten years. Part IV requires Respondent to 
disclose all material facts to the assessor and prohibits Respondent 
from misrepresenting any fact material to the assessment required by 
Part III.
    Part V requires Respondent to submit an annual certification from a 
senior corporate manager (or senior officer responsible for its 
Security Program) that Respondent has implemented the requirements of 
the Order and is not aware of any material noncompliance that has not 
been corrected or disclosed to the Commission. Part VI requires 
Respondent to return recovered assets to users and to submit a report 
at the conclusion of the program summarizing its compliance.
    Part VII requires Respondent to submit an acknowledgement of 
receipt of the order, including all officers or directors and employees 
having managerial responsibilities for conduct related to the subject 
matter of the order, and to obtain acknowledgements from each 
individual or entity to which Respondent has delivered a copy of the 
order.
    Part VIII requires Respondent to file compliance reports with the 
Commission and to notify the Commission of bankruptcy filings or 
changes in corporate structure that might affect compliance 
obligations. Part IX contains recordkeeping requirements for accounting 
records, personnel records, consumer correspondence, advertising and 
marketing materials, and all records necessary to demonstrate 
compliance with the order. Part X contains other requirements related 
to the Commission's monitoring of Respondent's order compliance.
    Part XI provides the effective dates of the order, including that, 
with exceptions, the order will terminate in 10 years.
    The purpose of this analysis is to facilitate public comment on the 
order, and it is not intended to constitute an official interpretation 
of the complaint or order, or to modify the order's terms in any way.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2025-23407 Filed 12-18-25; 8:45 am]
BILLING CODE 6750-01-P


</pre></body>
</html>