100,000 API keys and password combinations of users of the automated crypto bot trading platform were leaked last week. After months of speculation, 3Commas has finally admitted that it was responsible for the leak.
Last week a group of traders came out saying that they had lost $22 million worth crypto to an attack that compromised their API keys on bot trading platform 3Commas. The company’s co-founder and CEO Yuriy Sorokin initially denied that it was hacked and blamed users for giving up their keys in a phishing attack.
However, on Tuesday, following an anonymous Twitter user revealing that they had obtained around 100,000 API keys belonging to 3Commas users, the company came forward and admitted that it was in fact to be blamed for the leak.
3Commas is a platform that allows users to link their accounts on multiple crypto exchanges to a single, automated trading software. The protocol employs algorithmic bots that automatically execute trades on the traders’ behalf, giving them an edge over their competition.
Users link their accounts via APIs (application programming interfaces), a mechanism that enables separate software solutions to complete tasks by communicating with each other, to trade cryptocurrencies.
Soon after users complained about losing their funds, blockchain sleuth ZachXBT said that he has identified 44 victims that lost a combined $14.8 million in the 3Commas API hack. In response, Sorokin reasoned that if it was a leak by the company, there would have been millions of cases and “not a hundred”. In a Twitter thread, he questioned the validity of the complaints, asking why the victims never went to the police, and blamed incompetency from big media sources.
“There are over 1 million keys connected to 3Commas. With -100 users reporting issues with their accounts, why would that happen if the database was leaked,” tweeted Sorokin.
3Commas confirmed that API keys and secret combinations of user accounts linked to Binance and KuCoin exchanges are the ones that were reportedly leaked. Sorokin has since asked Binance, KuCoin and all other crypto exchanges supported by 3Commas to revoke all the keys that were connected to its bot trading protocol. The very next day, Binance CEO Changpang “CZ” Zhao said that he was sure APIs tied to 3Commas were shared online and asked users to disable their keys immediately.
This leak confirms months of speculation surrounding the security of 3Commas, alongside the phishing attack that was targeted at the platform’s users. In October, three traders who were using the protocol on the now bankrupt FTX exchange reported that their keys were stolen in a phishing attack. The hackers mimicked 3Commas’ interface on authentic-looking malicious websites to trick traders into giving up their API keys and password combinations.
At the time, disgraced CEO of , Sam Bankman-Fried, offered $6 million in compensation to the victims. This was a one-off event. In December, popular trader CoinMamba reported losing funds on Binance after using an exploited 3Commas API. Back then 3Commas denied the allegation and declined to reimburse the stolen funds, claiming that it was impossible to verify whether the keys had been stolen.
Many users have now come forward alleging that the company was blaming them for its own mistakes, and is asking for refunds. Sorokin has apologised to his customers and stated that the platform has implemented new security measures and is working with law enforcement to launch a full investigation into the matter. “We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation,” tweeted the CEO.
Various media sources report that 3Commas has declined to comment on whether it will be refunding affected users, only saying that it will continue to work with customers and keep them updated. The total amount lost to the hack is estimated to be $14.8 million, but analysts say this figure could be more with the real number of victims being certainly higher.