Israel Apprehends Additional Suspect Linked to $190 Million Nomad Bridge Crypto Incident

An American-Israeli national, Osei Morrell, has been apprehended in Israel for his alleged involvement in the exploit of the Nomad bridge smart contract that led to the siphoning of $190 million in August 2022. This operation was made possible due to significant intelligence contributions from the blockchain analytics firm TRM Labs, which assisted law enforcement authorities in identifying Morrell as a key suspect in one of the largest hacks in decentralized finance (DeFi) history.

Israeli police, in collaboration with the U.S. Department of Justice (DOJ), the FBI, and Interpol, orchestrated the arrest in Jerusalem. Morrell is slated for extradition to the United States, with legal proceedings already underway.

Morrell's Connection to the Nomad Bridge Hack

The Nomad bridge serves as a cross-chain communication protocol designed to facilitate asset transfers across different blockchain networks. On August 1, 2022, a critical vulnerability was exploited within an update to the bridge’s Replica smart contract, specifically impacting the ‘process() function.’ This misconfiguration enabled a breach in security, where the contract failed to properly validate message proofs before facilitating fund releases, allowing invalid proofs to be accepted based solely on matching root hashes.

Once a single individual identified this flaw, the method was rapidly disseminated among other attackers, leading to a widespread execution of a “mob-style” attack that resulted in the chaotic looting of the bridge, ultimately draining over $190 million in multiple cryptocurrencies, including ETH, USDC, and WBTC.

TRM Labs highlighted that the vulnerability was notably accessible, attracting not only seasoned hackers but also individuals without hacking expertise. Reports have implicated experienced actors from North Korea in the exploit as well.

While Morrell is not believed to have authored or initiated the exploit code, TRM Labs indicated that he played a significant role, with evidence suggesting involvement in laundering substantial portions of the stolen assets. Wallets associated with Morrell received encoded transactions shortly after the bridge was compromised, indicating potential collaboration with the initial attackers.

Analysis from TRM Labs indicates that Morrell employed techniques such as ‘chain-hopping’ to navigate the stolen tokens across various blockchains, utilized the Tornado Cash mixer to obscure the origins of the funds, and converted portions of the assets into privacy-first cryptocurrencies like Monero (XMR) and Dash.

To extract the illicit profits, Morrell utilized non-custodial exchanges, over-the-counter (OTC) brokers, and offshore banking accounts connected to fictitious or ambiguous legal entities, sometimes converting cryptocurrency to fiat with providers lacking strict Know Your Customer (KYC) procedures.

Despite extensive attempts at obscuration and the passage of time since these events, thorough blockchain transaction analysis enabled investigators to uncover Morrell’s identity, culminating in his arrest.

Following Morrell’s apprehension, another suspect, Russian-Israeli citizen Alexander Gurevich, was detained at Ben Gurion Airport in Tel Aviv on May 1 under an alias. Gurevich allegedly exploited the same vulnerability in the Nomad bridge, securing approximately $2.89 million in digital assets. Notably, Gurevich had proactively contacted Nomad’s Chief Technology Officer, admitting to probing the system for weaknesses and subsequently requesting a reward for identifying the vulnerability.