After several weeks of denial, crypto trading firm 3Commas finally admitted that it was the source of the massive API key leak that cost its users millions of funds.
Late October saw the start of 3Commas’ security concerns. In response to reports from users of unlawful trades of trading pairs with the DMG coin on FTX at the time, the still operational FTX exchange issued a security notice. The trades were carried out using accounts that were created by hackers, according to 3Commas and FTX.
Users can connect their multiple crypto exchange accounts, such as Binance, KuCoin, OKX, and other platforms, to automated trading software using the 3Commas platform. Application programming interfaces (APIs) are standardized procedures that let various software components connect with one another and carry out activities.
3Commas and its CEO Yuriy Sorokin denied their involvement multiple times since November, even after users were complaining relentlessly. In November, 3Commas released a blog post stating that, using a number of phishing techniques, malicious actors were able to steal the exchange API keys of some crypto traders.
3Commas noted the hackers may have also compromised the security of the user’s personal computers by installing malware and browser extensions to gain access to the files containing the keys.
“The wide number of exchanges and trade automation services involved provides strong evidence that this is a sophisticated multi-month phishing attack executed by a criminal organization targeting individual crypto traders,” the firm stated.
Sorokin has consistently responded to the criticisms of the platform in a series of blog pieces published on the 3Commas website.
In addition to denying that its employees stole users’ API keys, 3Commas asserted that screenshots making the rounds on social media were fraudulent and urged anybody who had been harmed to contact the authorities to prevent further fund theft.
In a blog post published this month, 3Commas noted, “In the latest edition to this saga of API keys and attacks on exchanges, we’re now seeing individuals on Twitter and YouTube circulating fake screenshots of Cloudflare logs in an attempt to convince people that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files.”
3Commas appeared really confident in their innocence by claiming, “As an overall conclusion, we see that the bad actors have put a lot of effort into creating these fake images. This is an unprecedented information attack. But it would be nonsense to take any “security reports” that rely on such kind of “proof” seriously.”
Later, famous crypto trader CoinMamba tweeted that their Binance was compromised due to a breach of the 3Commas API key, which resulted in them taking a loss. The post sparked a series of conversations between CoinMamba and CZ, CEO of Binance, which resulted in the closure of CoinMamba’s Binance account.
Crypto sleuth ZachXBT chimed in on the situation, saying that over the past couple of weeks, a number of 3Commas users have reported unauthorized trades on their CEX accounts.
“3Commas blames it on “phishing”, but I now have verified a group of 44 victims who’ve had $14.8m in total stolen,” ZachXBT tweeted.
3Commas addressed the concern but by repeating that there is no hacking or API leak at the platform, encouraging victims to file a police report.
A Twitter user was able to gain almost 100,000 API keys belonging to 3Commas customers. Over 10,000 of the keys were released by the leaker, and the remainder will be revealed randomly in the upcoming days, according to the leaker.
And today, after continuous irresponsible behavior by 3Commas, Twitter user db reported that all of 3Commas’ API keys have been leaked. Before that, Binance CEO CZ tweeted that he is sure there are widespread API key leaks from 3Commas.
Following the 3Commas commotion, ZachXBT said an account messaged him and sent over a database with API keys of 3Commas users. ZachXBT checked in with the 3Commas victims group, and they confirmed multiple people had matched their API keys in the database.
The message sent to ZachXBT notes that the API keys were compromised “to teach everybody a low lesson, not a hard one to do not trust 3Commas.”
Sorokin finally bent his knees and acknowledged the event after verifying the leaked API keys, tweeting, “We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation.”
As an immediate action, 3Commas has asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.
3Commas announced, “We urge every user to reissue their keys on the exchanges. Again, we commit to saying that no keys after Nov 16 are at risk. In case you do not update those, they will be revoked by exchanges to ensure your account security.”
The 3Commas API leak victims are demanding compensation and an apology from the 3Commas and Sorokin for mishandling the whole situation even after the victims continuously reported the situation for weeks.
Compiled by Coinbold
