TLDR
- Alexander Gurevich, a Russian-Israeli citizen, was arrested in Israel for his alleged role in the $190M Nomad bridge hack
- Gurevich allegedly exploited a vulnerability first, stealing $2.89M before copycats stole the remaining funds
- He contacted Nomad’s CTO via Telegram, requested a $500,000 bounty, and returned $162,000
- Gurevich was arrested at Ben-Gurion Airport trying to flee to Russia using a new identity (“Alexander Block”)
- US authorities are seeking his extradition on money laundering charges that carry up to 20 years in prison
Alexander Gurevich, a Russian-Israeli citizen, was arrested at Israel’s Ben-Gurion Airport on May 1 while attempting to board a flight to Russia. He is allegedly the person who first exploited a vulnerability in the Nomad bridge smart contracts in August 2022, leading to a massive $190 million hack that caused the protocol’s collapse.
Israeli authorities apprehended Gurevich just days after he legally changed his name to “Alexander Block” and obtained a new passport. The arrest came as part of an extradition process initiated by US authorities, who filed an eight-count indictment against him in the Northern District of California in August 2023.
According to reports from The Jerusalem Post, Gurevich had returned to Israel from an overseas trip on April 19 and was ordered to appear before the Jerusalem District Court for an extradition hearing. Instead of complying, he changed his name on April 29 and attempted to flee to Russia two days later.
US prosecutors allege that Gurevich was the first to identify and exploit a critical vulnerability in Nomad’s smart contracts. He allegedly stole approximately $2.89 million worth of cryptocurrency tokens through this exploit in August 2022.
Alexander Gurevich ("Block") was arrested Thursday at Ben Gurion Airport in Israel. He is wanted in the United States for computer offenses, transfer of stolen money and laundering money worth millions of dollars in a sting that in 2022 almost led to the collapse of one… pic.twitter.com/d8RepO3tT5
— יואב איתיאל מדווח כי (@yoavetiel) May 3, 2025
How The Hack Unfolded
What made the Nomad hack unusual was how it evolved from a single exploit into what security experts described as a “free-for-all.” After Gurevich’s initial breach, dozens of copycat hackers quickly spotted and exploited the same vulnerability.
“This is why the hack was so chaotic — you didn’t need to know about Solidity or Merkle Trees or anything like that,” explained Samczsun, a well-known blockchain security researcher. “All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
Onchain data analyzed by Coinbase identified 88 unique wallet addresses participating as copycats, collectively responsible for removing $88 million from the bridge. The vulnerability allowed attackers to spoof Nomad’s smart contracts with invalid transactions to withdraw funds from the protocol.
The majority of stolen assets were in USDC stablecoin and wrapped versions of Bitcoin and Ethereum. Some participants in the exploit later turned out to be “whitehats” or ethical hackers who returned funds they had withdrawn during the chaos.
The Telegram Confession
In a twist that ultimately led to his identification, Gurevich allegedly reached out to Nomad’s Chief Technology Officer, James Prestwich, via Telegram shortly after the hack. Using a fake identity, he admitted to “amateurishly” seeking a crypto protocol to exploit.
During these communications, Gurevich apologized for “the trouble he caused Prestwich and his team” and voluntarily transferred about $162,000 into a recovery wallet the company had set up. This amount represented only a small fraction of what he allegedly stole.
Prestwich offered Gurevich a 10% bounty on the value of the stolen assets if he would return them, a common practice in the cryptocurrency space when dealing with hackers. Gurevich reportedly said he would consult his lawyer but never responded after that.
At some point during these negotiations, Gurevich demanded a reward of $500,000 for identifying the vulnerability, according to court documents.
Israeli officials believe Gurevich carried out the attack while physically in Israel, having arrived in the country just days before the $190 million exploit occurred in August 2022.
The money laundering charges that Gurevich now faces in the US carry a maximum sentence of 20 years, which is much harsher than penalties he would face under Israeli law. The US submitted a formal extradition request in December 2024.
Peter Kacherginsky, a blockchain security expert formerly with Coinbase’s security team, commented on X that Gurevich “fits the profile of a crypto-native threat actor: skilled in smart contract exploitation but ultimately undone by poor opsec [operational security].”
The attacker behind the $186M Nomad Bridge hack has been identified as Alexander Gurevich, aka "Block".
He fits the profile of a crypto-native threat actor: skilled in smart contract exploitation but ultimately undone by poor opsec.https://t.co/7U6plnewRh
— Peter Kacherginsky (@_iphelix) May 4, 2025
