Nomad Bridge Suspect Alexander Gurevich Caught Fleeing Israel Under False Identity

Law enforcement authorities have apprehended Alexander Gurevich, a dual Russian-Israeli citizen and the primary suspect in the infamous $190 million Nomad bridge hack of August 2022. Gurevich was arrested at Ben-Gurion International Airport on May 1, 2025, while allegedly attempting to board a flight to Russia using a fraudulent passport obtained under a changed name. The arrest, publicly reported on May 6, 2025, marks a significant milestone in the ongoing international effort to bring crypto criminals to justice and demonstrates the increasing cooperation between global law enforcement agencies in tracking and prosecuting cybercrime perpetrators.

The Exploit Mechanics

The original Nomad bridge exploit occurred in August 2022 when an attacker identified a critical vulnerability in the bridge’s smart contract initialization process. The flaw allowed anyone to craft malicious messages that the contract would treat as valid withdrawal requests. Gurevich, according to the U.S. extradition request, was the first to exploit this vulnerability, withdrawing approximately $2.89 million in digital assets before copycat attackers followed suit, eventually draining a total of nearly $190 million from the cross-chain bridge. The exploit required no special authentication — it was essentially an open door that the protocol’s developers had inadvertently left unlocked through a flawed initialization routine. Once the first attacker demonstrated the exploit on-chain, others replicated the transaction pattern, turning what began as a single sophisticated theft into a chaotic free-for-all that contributed to Nomad’s near-collapse.

Affected Systems

The Nomad bridge connected the Ethereum mainnet with several other blockchain networks, including Moonbeam and Conflux, facilitating cross-chain token transfers. The hack primarily affected liquidity providers and users who had deposited tokens into the bridge’s smart contracts. Following the exploit, Nomad attempted a recovery effort, raising $22.4 million from investors to partially reimburse affected users. The broader DeFi ecosystem also suffered contagion effects, as the hack eroded confidence in cross-chain bridge protocols at a time when billions of dollars in assets were flowing through similar infrastructure. Bitcoin was trading at approximately $96,800 and Ethereum at $1,815 on the date of Gurevich’s reported arrest, underscoring that even as the market had recovered substantially, the ghosts of past exploits continued to haunt the industry.

The Mitigation Strategy

Gurevich’s apprehension illustrates a multi-layered law enforcement response that spanned multiple jurisdictions and agencies. The U.S. Justice Department issued an extradition request through diplomatic channels, which was received by Israel’s State Attorney Office International Department. Justice Minister Yariv Levin ordered Gurevich to appear before the Jerusalem District Court for an extradition hearing. When intelligence indicated that Gurevich was planning to flee, authorities tracked his movements, including his suspicious name change to “Alexander Block” in Israel’s Population Registry on April 29 and his expedited passport application at the airport the following day. The arrest at the boarding gate demonstrates effective interdiction coordination between immigration authorities, law enforcement, and judicial oversight. For the crypto industry, this case validates the emerging principle that pseudonymous transactions on a public blockchain are not anonymous — on-chain forensics, combined with traditional investigative techniques, can identify and locate perpetrators even years after the crime.

Lessons Learned

The Gurevich case offers several critical takeaways for the cryptocurrency security community. First, cross-chain bridges remain among the most vulnerable components in the DeFi ecosystem, and protocols must implement rigorous formal verification of their smart contracts, particularly around initialization and message validation logic. Second, the case demonstrates that law enforcement agencies worldwide are becoming increasingly sophisticated in their ability to investigate and prosecute crypto-related crimes, aided by blockchain analytics firms that can trace stolen funds across multiple chains and mixing services. Third, the suspect’s attempted evasion — changing his name, obtaining a new passport, and trying to flee to a non-extradition country — suggests that crypto criminals are increasingly aware of their vulnerability to traditional law enforcement methods. This awareness may serve as a deterrent, but it also means that those who do attempt large-scale thefts are likely to be more sophisticated and harder to catch, requiring the security community to maintain constant vigilance.

User Action Required

For users of cross-chain bridge protocols, the Nomad case reinforces the importance of several security practices. Always verify that a bridge protocol has undergone independent security audits from reputable firms before depositing funds. Monitor official protocol channels for security advisories and be prepared to withdraw funds immediately if vulnerabilities are disclosed. Use hardware wallets to store significant crypto holdings rather than keeping them in bridge contracts or DeFi protocols for extended periods. Diversify across multiple bridges rather than concentrating all cross-chain activity through a single protocol. Finally, support and engage with projects that prioritize formal verification and bug bounty programs, as these mechanisms represent the most effective proactive defenses against the types of vulnerabilities that led to the Nomad exploit.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.