3Commas Admits It Was Source of API Leak That Led to Hacks

A group of traders last week said that $22 million worth of crypto had been stolen through compromised API keys from the trading platform 3Commas. On Wednesday, 3Commas admitted it was the source of that API leak.

The announcement came after an anonymous Twitter user obtained around 100,000 API keys belonging to 3Commas users and published it online. 

3Commas had initially insisted there was no security issue on its end, and co-founder Yuriy Sorokin repeatedly suggested on Twitter that a phishing attack caused users to give up their data. 

But on Wednesday, Sorokin tweeted: “We saw the hacker’s message and can confirm that the data in the files is true… We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation.”

3Commas is a platform that lets users link multiple crypto exchange accounts—such as those kept on Binance—to automated trading software. This is all done via APIs (application programming interfaces), the standardized mechanisms that enable separate software components to communicate with each other and perform tasks. The idea is that humans don’t have to do the hard work of thinking about their trades. Instead, it’s all done instantly and automatically via code. 

Until the wrong people get access to the APIs.

Blockchain sleuth @ZachXBT previously said on Twitter that he had verified a group of 44 victims who lost a total of $14.8 million through API keys stolen from 3Commas.

In response, Sorokin tweeted that “If you are a victim, then it means that somehow your keys were leaked,” but “not from 3Commas.” If the leaked API keys had been from 3Commas, “you would’ve seen millions of cases, not a hundred,” he reasoned.

In a separate thread, he blasted “incompetency from big media sources” and questioned the validity of a crowdsourced spreadsheet of compromised accounts. “Pay attention that the majority of the users reporting losses didn’t even open a support ticket with the exchange, and didn’t go to the police,” Sorokin tweeted. “How was this information verified?”

Again he asserted that there were too few incidents for it to have been a 3Commas exploit. “There are over 1 [million] keys connected to 3Commas, with ~100 users reporting issues with their accounts,” Sorokin tweeted. “Why would that happen if [database] was leaked?”

Today, a vindicated ZachXBT tweeted that “for weeks [3Commas] have been blaming its users and accepting zero responsibility.” 

“You kept lying and saying this was our fault instead of taking responsibility and prevented further exploits,” added @CoinMamba, another 3Commas user who said he lost funds. “Are you going to refund the users now?”

This isn’t the first time 3Commas and its API handling came under scrutiny. About a month before FTX filed for bankruptcy, Sam Bankman-Fried agreed to refund $6 million to customers affected by what was described as a phishing scam involving 3Commas.

On Wednesday, Binance CEO Changpeng Zhao tweeted that he was “reasonably sure” there were “widespread API key leaks” from 3Commas. 

CZ added that users should disable their API keys in 3Commas. This is what 3Commas is now recommending as well.

“As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas,” Sorokin tweeted.

3Commas has not responded to a request for further comment from Decrypt.