In 2021, Illusory Systems, Inc. developed a cross-chain bridge known as the Nomad Bridge. A “bridge” is a protocol that allows multiple blockchain networks to interact with each other and for users to swap one token for another without having to trade in and out of tokens on an exchange and incur multiple trading fees. While operational, the Nomad Bridge moved more than $912 million worth of crypto assets on behalf of more than 21,000 unique wallet addresses.
On June 21, 2022, a routine update was made to the Nomad Bridge that introduced a vulnerability to the system. On August 1, 2022, an unidentified individual exploited that vulnerability to execute fraudulent transactions on the Nomad Bridge and stole a small amount of digital assets. The next day, an unidentified individual and various copycats initiated more fraudulent transfers on the Nomad Bridge and drained $186 million in crypto assets. Manu Singh, an individual, allegedly lost $172,000. Iagon, AS, a blockchain company that operates its own crypto-products, allegedly lost approximately $4.2 million. Iagon and Singh brought a proposed class action alleging, inter alia, RICO claims. The Defendants moved to dismiss the RICO claims. The court issued its opinion on March 29, 2024.
One element of a RICO claim is “racketeering activity,” which the statute defines as a list of criminal activities that constitute predicate acts for purposes of RICO and includes operating an unlicensed money transmitting business and wire fraud. The court explained that, to have standing to bring a RICO claim, a plaintiff must show that the defendant’s “RICO violation was not only a ‘but for’ cause of his injury, but also that it was the proximate cause;” the proximate cause requirement means that the plaintiff’s injury must be the “direct” result of an act of racketeering, rather than an attenuated harm following a “long chain of intervening causes.”
Here, the court held, a series of intervening, non-racketeering acts disrupted any potential causal relationship between Defendants’ putative predicate acts (operating an unlicensed money transmitting business and wire fraud) and Plaintiffs’ alleged injuries. The Complaint alleged that Illusory employed a coder who introduced a “simple mistake” or “vulnerability” into the Nomad Bridge’s code that “allowed anyone who saw it to craft transactions to steal funds from the Nomad Bridge.” Next, Plaintiffs say that an unknown “malicious actor began executing fraudulent transactions” using the vulnerability. Then, non-party and unknown “copycats” replicated the fraudulent transactions, stealing additional assets on the Nomad Bridge. Finally, the Complaint pleads that, although “off-chain software agents” called “Watchers” could have voided these illegitimate transactions, they did not intervene. According to the court, each of these intervening non-racketeering acts rendered the injury too remote from Defendants’ alleged wrongdoing—operating an unlicensed money transmitting business and wire fraud.
With respect to operating an unlicensed money transmitting business, Plaintiffs’ argument was that the mere existence of the “Nomad Enterprise” caused Plaintiffs’ harms; they contended that the Nomad Bridge could operate only by violating the law because “[h]ad the Nomad Enterprise sought a money-transmitting license to operate the bridge, it would almost certainly have been denied.” The court rejected Plaintiffs’ argument, saying:
Plaintiffs do not directly link the lack of regulatory licensing (or its claim that the application for such might have been denied) to Plaintiffs’ losses. For example, Plaintiffs do not explain how an improved compliance program would have prevented a coder from introducing a “simple mistake” into the Nomad Bridge’s code and stopped a “malicious actor” and “copycats” from exploiting that mistake. And Plaintiffs’ argument that “proper oversight that likely would have prevented the unsophisticated hack” becomes even more speculative if I were to accept as plausible Plaintiffs’ alternate theory that the “malicious actor” who introduced the vulnerability actually “worked on behalf of the Nomad Enterprise.”
In connection with the wire fraud issue, Plaintiffs argued that “repeatedly encouraging users to deposit their funds on the Nomad Bridge through false promises of security” proximately caused Plaintiffs’ losses because “false statements about a foreseeable assault on their system were made solely for the purpose of increasing their user base, which led directly to Plaintiffs’ and the proposed class’s losses.” The court did not agree, saying that “even if I were to accept as true that the allegedly false statements caused Plaintiffs to use the Nomad Bridge, that argument does not directly link allegedly false statements about security to Plaintiffs’ losses arising from a vulnerability in code that led to the theft of their funds.” The court said there were too many intervening events for Plaintiffs to show proximate cause. It gave as an example that Plaintiffs did not assert that Defendants promised there would never be error in its code.
For all the above reasons, the court dismissed the RICO claims. That dismissal also mandated the dismissal of the RICO conspiracy claim.