Crypto Trading Bot Platform 3Commas Rocked By Critical API Leak
After weeks of speculation that API keys had been leaked online, 3Commas’ founder now says the incident is very real
A. Solano/Shutterstock modified by Blockworks
Caution is advised for crypto traders using automated trading bot platform 3Commas after reports indicate millions of dollars has been stolen from exchange accounts.
Binance CEO Changpeng Zhao (CZ) tweeted Wednesday that he was “reasonably sure” that application programming interface (API) keys tied to 3Commas users had been shared online.
“If you have ever put an API key in 3Commas (from any exchange), please disable it immediately,” Zhao tweeted, following up an earlier warning from industry watcher tier10k.
3Commas users seeking to automate plays across multiple exchanges and markets can link their trading accounts via specially-generated API keys and secret combinations. These allow the 3Commas bot engine to execute trades on users’ behalf, making their security paramount.
API keys and secret combinations linked to Binance and KuCoin exchange accounts of 3Commas users were said to have been leaked. This was later confirmed by Yuriy Sorokin, co-founder of 3Commas in a tweet:
“We saw the hacker’s message and can confirm that the data in the files is true,” Sorokin said. “As an immediate action, we have asked that Binance, KuCoin, and other supported exchanges revoke all the keys that were connected to 3Commas.”
Confirmation of the leak comes after months of speculation over 3Commas security, alongside targeted phishing campaigns on the platform’s users.
Three FTX users utilizing the platform were phished in October; bad actors had mimicked its interface on malicious sites intended to trick traders into giving up their API keys and combinations.
Now-disgraced FTX founder Sam Bankman-Fried then offered $6 million to compensate the victims, although doing so would be a one-off. 3Commas had so far denied any API leaks had taken place.
More than $15 million may have been stolen from 3Commas users to date
By Dec. 8, Twitter personality CoinMamba had complained of losing funds on Binance via an exploited 3Commas API. Binance later suspended their account.
Both Binance and 3Commas declined to reimburse the user, claiming it was impossible to verify whether the API key had been stolen.
At around the same time, screenshots of leaked 3Commas API keys were circulating across social media. Sorokin claimed in a blog post that the screenshots were fake, and urged any affected users to file police reports.
“… We have implemented new security measures and will not stop there; we are launching a full investigation involving law enforcement,” tweeted Sorokin on Wednesday.
“We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation.”
The cat is now squarely out of the bag, but the total value of lost crypto — as well as the number of victims — is still unclear.
On-chain researcher ZachXBT last week said they’d confirmed 44 instances with combined losses of $14.8 million. “These are just ones where identity and account ownership were verified. The real number of victims is certainly higher,” they tweeted.
David Canellis contributed reporting.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- 0xResearch: Alpha in your inbox. Think like an analyst.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- The Drop: Apps, games, memes and more.
- Lightspeed: All things Solana.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
