Share this article
'Copycats' Stole $88M During Nomad Exploit by Copying Attacker's Code: Coinbase
Over 88% of the addresses involved in the $190 million Nomad attack likely belonged to users copying a code that was initially used by the exploiters.
Updated May 11, 2023, 6:42 p.m. Published Aug 11, 2022, 8:45 a.m.
Some 88% of the exploiters behind Nomad’s bridge attack were likely those who merely copied the key attacker’s code and executed their own attack, new research from crypto exchange Coinbase (COIN) estimated this week.
Nomad, a cross-chain bridge that allowed users to send and receive tokens between different blockchains, was exploited in early August for over $190 million, or about the entirety of its token reserves.
STORY CONTINUES BELOW
The Coinbase research shows some 88% of all addresses that conducted the exploit were identified as “copycats” that together stole about $88 million in tokens from the bridge.
“The majority of copycats used a variation of the original exploit by simply modifying targeted tokens, amounts and recipient addresses,” Coinbase researchers said.
“While the majority of valuable tokens were claimed by just two of the original exploiters’ addresses, hundreds of others were able to claim part of the bridge’s holdings,” the researchers added.
Nomad did not return requests for comment at press time.
On Twitter, Paradigm researcher @samczsun explained that a recent update of one of Nomad’s smart contracts made it easy for users to spoof transactions, as previously reported.
This meant users were able to withdraw money from the Nomad bridge that didn’t actually belong to them. And unlike some bridge attacks, where a single culprit is behind the entire exploit, the Nomad attack was a free-for-all.
“... [Y]ou didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” @samczsun said in a tweet in early August.
Such a scenario allowed early observers of the exploit to merely copy the attacker’s code, add their addresses and broadcast the changed code to the network in order to steal funds from Nomad.
This also caused the original exploiters “to compete against hundreds of copycats” for their attack, the Coinbase researchers pointed out.
Meanwhile, Nomad is currently working with security agencies and ethical hackers to recover part of the stolen funds and launched a bounty program last week. Over $25 million in funds have been returned as of Aug. 10, but most of it remains missing.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
The Protocol: Stripe’s Tempo Testnet Goes Live
Also: ZKSync Lite to Sunset, Blockstream App Update, Axelar’s AgentFlux
What to know:
This article is featured in the latest issue of The Protocol, our weekly newsletter exploring the tech behind crypto, one block at a time. Sign up here to get it in your inbox every Wednesday.
Top Stories
