FTX To Reimburse $6M to 3Commas Phishing Attack Victims

FTX CEO Sam Bankman-Fried said the cryptocurrency exchange will hand out $6 million to compensate victims of a phishing scam targeting its users — but never again.

Since last week, at least three FTX users were struck by the scam, in which hackers siphoned millions of dollars from their accounts with unauthorized trades. The attackers gained access by exploiting the 3Commas application programming interface (API) keys, which had been utilized by the affected FTX users.

3Commas is an automated crypto trading bot provider that facilitates automated buying and selling of crypto on major exchanges such as FTX. It’s seen as an efficiency tool, enabling users to easily place hundreds of trades, which is manually demanding.

The attacks were exposed when one FTX user reportedly found his account had traded DMG tokens more than 5,000 times on Oct. 19, which led to extraction of nearly $1.6 million in bitcoin, FTX token, ether and other cryptocurrencies (valued at the time).

A second user disclosed on Oct. 22 that he was a victim of the FTX attack, claiming he lost about 104 bitcoin ($2 million at current price) as a result of the incident. He also claimed he had never used his 3Commas account to set up a bot.

FTX phishing possibly spurred by malware

DMG, the token leveraged by the hackers in their scheme, is the governance token of defunct decentralized finance project DeFi Money Market (DMM), which ceased operations on Feb. 5 after inquiries from the SEC.

DMG’s price has crashed almost 60% since the closure but recovered to $0.02 as of Monday — roughly the same level as when DMM shut down, according to CoinGecko data.

3Commas confirmed that a number of partner exchange API keys were used to perform unauthorized trades for DMG crypto trading pairs on exchange accounts. Traders who had never used 3Commas were also affected by the phishing attack, it said.

Upon further investigation, the team found several fake 3Commas websites that were used to phish its users. Hackers had replicated the design of the website’s interface to capture API keys from users that mistakenly used the fake website to connect their exchange accounts.

3Commas said it further suspects API keys were stolen from users via malware and third-party browser extensions. It denied responsibility and said it was highly unlikely that the security incident originated with 3Commas’ services. FTX declined to comment while 3Commas directed Blockworks to its post-mortem blog.

Bankman-Fried published a Twitter thread expressing frustration at the incident. “Not only was this not FTX getting phished, it wasn’t even an FTX site. And in general we can’t compensate for users getting phished by fake versions of other companies in the space!”

“It isn’t FTX and we have basically no control over it,” Bankman-Fried said.

Bankman-Fried added that FTX has mostly eliminated phishing sites that pose as the exchange itself, but that it can’t do the same for sites impersonating other services.

“To be clear, phishing is almost always a case where the user voluntarily (but unknowingly) gives their account credentials to a scammer by going to a bad site or something like that — but despite that, we take our duty to protect customers seriously, even from themselves,” he tweeted.

In this case, Bankman-Fried has sought fit to reimburse users affected by the 3Commas phishing campaign, but he warned that “this is a one-time thing and we will not do this going forward,” in all caps.

---

Get the news in your inbox. Explore Blockworks newsletters:

• The Breakdown: Decoding crypto and the markets. Daily.
• Empire: Crypto news and analysis to start your day.
• Forward Guidance: The intersection of crypto, macro and policy.
• 0xResearch: Alpha directly in your inbox.
• Lightspeed: All things Solana.
• The Drop: Apps, games, memes and more.
• Supply Shock: Bitcoin, bitcoin, bitcoin.