FTX To Reimburse $6M to 3Commas Phishing Attack Victims

FTX CEO Sam Bankman-Fried warned that reimbursing users affected by the 3Commas phishing scam would be a “one time thing”


FTX’s Sam Bankman-Fried | Blockworks exclusive art by axel rangel


key takeaways

  • At least three FTX users found millions missing from their accounts due to a phishing attack
  • API provider 3Commas discovered that several fake websites were used to phish its users

FTX CEO Sam Bankman-Fried said the cryptocurrency exchange will hand out $6 million to compensate victims of a phishing scam targeting its users — but never again.

Since last week, at least three FTX users were struck by the scam, in which hackers siphoned millions of dollars from their accounts with unauthorized trades. The attackers gained access by exploiting the 3Commas application programming interface (API) keys, which had been utilized by the affected FTX users.

3Commas is an automated crypto trading bot provider that facilitates automated buying and selling of crypto on major exchanges such as FTX. It’s seen as an efficiency tool, enabling users to easily place hundreds of trades, which is manually demanding.

The attacks were exposed when one FTX user reportedly found his account had traded DMG tokens more than 5,000 times on Oct. 19, which led to extraction of nearly $1.6 million in bitcoin, FTX token, ether and other cryptocurrencies (valued at the time).

A second user disclosed on Oct. 22 that he was a victim of the FTX attack, claiming he lost about 104 bitcoin ($2 million at current price) as a result of the incident. He also claimed he had never used his 3Commas account to set up a bot.

FTX phishing possibly spurred by malware

DMG, the token leveraged by the hackers in their scheme, is the governance token of defunct decentralized finance project DeFi Money Market (DMM), which ceased operations on Feb. 5 after inquiries from the SEC.

DMG’s price has crashed almost 60% since the closure but recovered to $0.02 as of Monday — roughly the same level as when DMM shut down, according to CoinGecko data.

3Commas confirmed that a number of partner exchange API keys were used to perform unauthorized trades for DMG crypto trading pairs on exchange accounts. Traders who had never used 3Commas were also affected by the phishing attack, it said.

Upon further investigation, the team found several fake 3Commas websites that were used to phish its users. Hackers had replicated the design of the website’s interface to capture API keys from users that mistakenly used the fake website to connect their exchange accounts.

3Commas said it further suspects API keys were stolen from users via malware and third-party browser extensions. It denied responsibility and said it was highly unlikely that the security incident originated with 3Commas’ services. FTX declined to comment while 3Commas directed Blockworks to its post-mortem blog.

Bankman-Fried published a Twitter thread expressing frustration at the incident. “Not only was this not FTX getting phished, it wasn’t even an FTX site. And in general we can’t compensate for users getting phished by fake versions of other companies in the space!”

“It isn’t FTX and we have basically no control over it,” Bankman-Fried said.

Loading Tweet..

Bankman-Fried added that FTX has mostly eliminated phishing sites that pose as the exchange itself, but that it can’t do the same for sites impersonating other services.

“To be clear, phishing is almost always a case where the user voluntarily (but unknowingly) gives their account credentials to a scammer by going to a bad site or something like that — but despite that, we take our duty to protect customers seriously, even from themselves,” he tweeted.

In this case, Bankman-Fried has sought fit to reimburse users affected by the 3Commas phishing campaign, but he warned that “this is a one-time thing and we will not do this going forward,” in all caps.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Templates.png


ZKPs enable efficient offchain transaction processing and validation, resulting in increased throughput and reduced fees. Solana's ZK Compression leverages ZKPs to minimize onchain storage costs, while Sui's zkLogin streamlines user onboarding by replacing complex key management with familiar OAuth credentials.


The crypto asset manager lowered its planned fee from 0.25% to 0.15%, undercutting its competitors


Plus, a look at planned ETH ETF fees and how they differ from their BTC counterparts


North Korea suspected in breach of Indian exchange’s multisig wallet


Plus, Sanctum’s CLOUD token has officially launched — but not without problems


It’s not yet clear whether Donald Trump is pumping bitcoin. But an unofficial memecoin is still seeing benefit.