Last week, Israeli authorities — acting on a request from the US Department of Justice (DOJ) — arrested and approved the extradition of an individual suspected of playing a central role in the USD 190 million exploit of Nomad Bridge in August 2022. The arrest marks a milestone in the global effort to hold accountable actors who exploit cross-chain infrastructure for financial crime. TRM Labs is proud to support Nomad and law enforcement partners in combating complex crypto-enabled threats.
The suspect, Russian-Israeli dual national Alexander Gurevich, was arrested in Jerusalem by Israeli police working in coordination with the DOJ, the FBI, and Interpol. According to publicly available court filings and law enforcement statements, Gurevich allegedly conspired with others to execute the exploit and launder the resulting proceeds through a sophisticated, multi-layered operation involving privacy coins, mixers, and offshore financial entities.
The exploit: A public loophole in Nomad’s smart contract
The Nomad Bridge exploit remains one of the most remarkable and chaotic hacks in decentralized finance (DeFi) history. On August 1, 2022, attackers took advantage of a critical vulnerability in Nomad’s Replica smart contract — a verification bug introduced in a routine code update that allowed messages with invalid proofs to be accepted as valid.
Specifically, a misconfiguration in the bridge’s process() function caused the contract to accept any message with the correct root hash, regardless of whether the proof was legitimate. Once one user figured out the exploit, it was rapidly copied and pasted by hundreds of wallets in a type of "mob attack," turning a targeted hack into an opportunistic frenzy.
Notably, this wasn’t a traditional exploit with a single attacker. The vulnerability allowed anyone to replicate the exact transaction format and drain funds. In just a few hours, Nomad lost over USD 190 million in assets including ETH, USDC, WBTC, and various ERC-20 tokens. Of that, approximately USD 88 million was ultimately traced to wallets engaging in laundering activity rather than voluntary returns or white hat recoveries.
The laundering operation: Chain-hopping, mixers, and Monero
Shortly after the exploit, TRM Labs worked feverishly with Nomad personnel to identify the exit points and trace out the complicated network flow of funds. The Nomad team published this post on X (formerly Twitter) highlighting these efforts:
According to the DOJ indictment, Gurevich played a central role in laundering a portion of the stolen funds. Blockchain analysis shows that wallets linked to Gurevich received stolen assets within hours of the bridge breach and began fragmenting the funds across multiple blockchains. This chain-hopping tactic is commonly used to complicate attribution and make tracing more difficult.
He then employed a classic mixer stack: moving assets through Tornado Cash on Ethereum, then converting ETH to privacy coins such as Monero (XMR) and Dash. These privacy-preserving assets were routed through non-custodial exchanges and decentralized liquidity pools, then cashed out via over-the-counter brokers and offshore bank accounts — often linked to shell companies registered in opaque jurisdictions.
Further analysis indicates Gurevich leveraged virtual asset service providers (VASPs) with lax Know Your Customer (KYC) standards to convert crypto into fiat, as well as peer-to-peer platforms in jurisdictions with limited enforcement capacity. Some funds also re-entered the crypto ecosystem through NFT marketplaces, gaming platforms, and DeFi lending protocols in an effort to "wash" the funds and make them appear legitimate.
Global coordination and extradition
This week’s extradition reflects growing momentum behind cross-border enforcement of crypto crime. Israeli prosecutors and judges emphasized that Gurevichs case met the threshold of financial crime under both Israeli and US law, warranting his transfer to the US for trial. His extradition marks a rare but powerful instance of a cyber suspect being physically transferred for prosecution in connection with a DeFi exploit.
According to reports, Israeli authorities executed the arrest quickly following the DOJ’s official request, noting the severity of the case and the global implications of large-scale digital asset theft and laundering. Gurevich now faces multiple federal charges in the US, including wire fraud, conspiracy, and money laundering.
Broader context: Bridges and the modern laundering playbook
TRM Labs identified the Nomad Bridge exploit as one of the ten largest DeFi hacks of 2022 in its “Illicit Crypto Ecosystem Report.” The case typifies a broader trend: bridge protocols are increasingly targeted due to the massive value they facilitate across chains — often with immature or unaudited code.
The laundering techniques in the Nomad case — including the use of Tornado Cash, Monero, shell companies, and chain-hopping — mirror those used by both profit-motivated actors and nation-state groups. The incident also served as a wake-up call for the industry, triggering new security audits, bridge architecture upgrades, and an intensified law enforcement focus on the intersection of DeFi and money laundering.
The successful arrest and extradition of a key figure in the Nomad Bridge exploit signals that pseudo-anonymity is no guarantee of impunity in the crypto space. Through global cooperation, data-driven investigations, and increasingly sophisticated blockchain intelligence, law enforcement agencies are closing the gap on illicit actors. TRM Labs remains committed to supporting partners worldwide in tracing crypto crime and protecting the integrity of the financial system.
An earlier version of this story incorrectly identified another individual as the suspect in the Nomad exploit. The correct name is Russian-Israeli dual national Alexander Gurevich.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
