Tech
Share this article

'Copycats' Stole $88M During Nomad Exploit by Copying Attacker's Code: Coinbase

Over 88% of the addresses involved in the $190 million Nomad attack likely belonged to users copying a code that was initially used by the exploiters.

By Shaurya Malwa
Updated May 11, 2023, 6:42 p.m. Published Aug 11, 2022, 8:45 a.m.
Most of those attacking Nomad's cross-chain bridge were copying the original hackers. (Charlie Green/Unsplash)
Most of those attacking Nomad's cross-chain bridge were copying the original hackers. (Charlie Green/Unsplash)

Some 88% of the exploiters behind Nomad’s bridge attack were likely those who merely copied the key attacker’s code and executed their own attack, new research from crypto exchange Coinbase (COIN) estimated this week.

Nomad, a cross-chain bridge that allowed users to send and receive tokens between different blockchains, was exploited in early August for over $190 million, or about the entirety of its token reserves.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the The Protocol Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

The Coinbase research shows some 88% of all addresses that conducted the exploit were identified as “copycats” that together stole about $88 million in tokens from the bridge.

“The majority of copycats used a variation of the original exploit by simply modifying targeted tokens, amounts and recipient addresses,” Coinbase researchers said.

“While the majority of valuable tokens were claimed by just two of the original exploiters’ addresses, hundreds of others were able to claim part of the bridge’s holdings,” the researchers added.

Nomad did not return requests for comment at press time.

Two addresses stole a majority of the funds from Nomad amid "hundreds" of other copycats. (Coinbase)
Two addresses stole a majority of the funds from Nomad amid "hundreds" of other copycats. (Coinbase)

On Twitter, Paradigm researcher @samczsun explained that a recent update of one of Nomad’s smart contracts made it easy for users to spoof transactions, as previously reported.

This meant users were able to withdraw money from the Nomad bridge that didn’t actually belong to them. And unlike some bridge attacks, where a single culprit is behind the entire exploit, the Nomad attack was a free-for-all.

“... [Y]ou didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” @samczsun said in a tweet in early August.

Such a scenario allowed early observers of the exploit to merely copy the attacker’s code, add their addresses and broadcast the changed code to the network in order to steal funds from Nomad.

This also caused the original exploiters “to compete against hundreds of copycats” for their attack, the Coinbase researchers pointed out.

Meanwhile, Nomad is currently working with security agencies and ethical hackers to recover part of the stolen funds and launched a bounty program last week. Over $25 million in funds have been returned as of Aug. 10, but most of it remains missing.

HackTechDeFi

More For You

KuCoin Hits Record Market Share as 2025 Volumes Outpace Crypto Market

By CoinDesk Research
Dec 22, 2025
logo
Commissioned byKuCoin
16:9 Image

KuCoin captured a record share of centralised exchange volume in 2025, with more than $1.25tn traded as its volumes grew faster than the wider crypto market.

What to know:

  • KuCoin recorded over $1.25 trillion in total trading volume in 2025, equivalent to an average of roughly $114 billion per month, marking its strongest year on record.
  • This performance translated into an all-time high share of centralised exchange volume, as KuCoin’s activity expanded faster than aggregate CEX volumes, which slowed during periods of lower market volatility.
  • Spot and derivatives volumes were evenly split, each exceeding $500 billion for the year, signalling broad-based usage rather than reliance on a single product line.
  • Altcoins accounted for the majority of trading activity, reinforcing KuCoin’s role as a primary liquidity venue beyond BTC and ETH at a time when majors saw more muted turnover.
  • Even as overall crypto volumes softened mid-year, KuCoin maintained elevated baseline activity, indicating structurally higher user engagement rather than short-lived volume spikes.
View Full Report

More For You

Solana’s new phase is ‘much more about finance,’ says Backpack CEO Armani Ferrante

By Margaux Nijkerk|Edited by Nikhilesh De
4 hours ago
Backpack CEO Armani Ferrante (CoinDesk)

The Solana ecosystem has spent the past year doubling down on a financial infrastructure, Backpack CEO Armani Ferrante told CoinDesk.

What to know:

  • Solana’s latest phase looks a lot less flashy than its memecoin-fueled highs, and that may be the goal.
  • Armani Ferrante, CEO of crypto exchange Backpack, told CoinDesk in an interview the Solana ecosystem has spent the past year doubling down on a more sober focus: financial infrastructure. A
  • fter years of experimentation as the wider crypto industry focused on NFTs, games and social tokens, attention is now shifting back toward decentralized finance, trading and payments.
Read full story