An anonymous Twitter user obtained the API keys of around 100,000 users of the crypto trading service 3Commas. The leaker published over 10,000 keys on Wednesday, and the rest will be published randomly in the coming days.
The CEO of 3Commas confirmed the leak’s authenticity in a tweet on Wednesday. He added that Binance, Kucoin, and other supported exchanges should revoke all 3Commas API keys immediately.
In response to the leak, dozens of 3Commas users claimed that their API keys were used to execute trades on exchanges such as Binance, KuCoin, and Coinbase without their permission. Since October, at least $6 million has been lost to attackers, according to 3Commas. User reports indicate that this sum has doubled in recent weeks.
Users have organized themselves into Telegram group chats, saying 3Commas, Binance, or Coinbase leaked their credentials or that they were phished by 3Commas. 3Commas has stated its victims’ losses were a result of phishing attacks, but more than 50 users have now insisted their credentials were leaked by 3Commas.
There is clear evidence that the credentials were leaked rather than phished, as shown by Wednesday’s data dump. Several 3Commas users confirmed that they found their API keys among those shared by the leaker.
The 3Commas’ Sorokin tweeted that he “did everything we could to investigate if an inside job had been performed, as it had been a potential scenario on our watch list, but no evidence has been found.”
Ahead of 3Commas’ statement, Binance CEO Changpeng Zhao advised users Wednesday afternoon to disable any API keys they had previously entered into 3Commas (from any exchange).
CZ disclosed the incident after Binance canceled a user’s account who complained about losing funds the day before. Binance declined to reimburse the user for using a leaked API key connected to 3Commas to trade low-cap coins to make profits.
A CZ tweet stated that the loss was unverifiable and that if the company compensated for the losses, “we would be paying for users to lose API keys.”
A fake screenshot purported to show that 3Commas had weak security and its employees were stealing API keys was circulated on Twitter and YouTube on Dec. 11, 3Commas CEO Yuriy Sorokin said on his blog. According to Sorokin, technical analysis of the images proved the allegations untrue:
The screenshots were created with an HTML editor, but the creator made a few key mistakes that easily prove the claims are false. We’ll go through them point by point.
Meanwhile, a Twitter user claims all of 3Commas’ API keys have been leaked.
At 3Commas, security issues first began to emerge in late October. Users reported unauthorized trades of trading pairs using the DMG coin on FTX at that time, prompting the FTX exchange to issue a security alert. A joint investigation with FTX determined that hackers created accounts with 3Commas to conduct the trades. However, a 3Commas blog post states, “the API keys were not taken from 3Commas, but from outside the platform.”