After 2 months of denying a possible data leak from his platform, Yuriy Sorokin, the CEO of 3Commas, has finally admitted that the API keys of his customers are indeed compromised. The origin of the breach is still unexplained at the time of writing
3Commas API keys leaked
Yuriy Sorokin, the CEO of 3Commas, an automated cryptocurrency trading platform, has finally admitted that his users’ API keys were indeed compromised:
1. Statement from 3Commas:
We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.
– Yuriy Sorokin (@YS_3Commas) December 28, 2022
” We have seen the hacker’s message and can confirm that the data in the files is true. As immediate action, we have asked Binance, Kucoin, and other supported exchange platforms to revoke all keys that were connected to 3Commas. “
Here, Yuriy Sorokin refers to a Twitter user who shared part of 3Commas’ database, which contained, among other things, API keys of the platform’s users.
Unsurprisingly, the responses to the 3Commas CEO’s statement were particularly vindictive. Indeed, it has been about 2 months since a growing number of platform users complained about unexplained actions on their accounts and 3Commas continues to deny any responsibility.
Although the problem has now been confirmed, the origin of the breach remains a mystery, according to Yuriy Sorokin:
We did everything we could to investigate an inside job, because it was always a possible scenario and it was on our list of possibilities to watch out for, but it was not found. Only a small number of technicians had access to the infrastructure and we took action on 19 November to remove their access. We are sorry that this situation has escalated to such an extent and will continue to be transparent in our communications on this matter. “
Losses that could have been limited
As previously reported, a number of users have started to complain about external actions on their cryptocurrency trading accounts, which Changpeng Zhao, the CEO of Binance, had shared himself on Twitter:
We saw at least 3 cases of users who shared their API key with 3rd party platforms (Skyrex and 3commas), and saw unexpected trading on their accounts. If you used such a platform before, I highly recommend you to delete your API keys just to be safe.
– CZ Binance (@cz_binance) November 14, 2022
And yet, 3Commas has repeatedly (here, here and here, for example) denied the facts in lengthy blog posts, explaining that the evidence and other screenshots of potential vulnerabilities in its database were fabricated or faked. 3Commas also blamed its users, accusing them of being tricked by phishing attempts.
In addition, an investigation conducted by @ZachXBT revealed on 20 December that 14.8 million dollars had been stolen from 44 victims. It should be noted that these are just individuals who have been victimised and have decided to band together to share their misfortune, and that the total number of victims is probably much higher.
2/3 Users have made complaints across different exchanges. It’s clear this is not phishing and api keys were stolen.
3Commas and their founder have chosen to blame its users. Delete the api keys if you haven’t already and stop using 3commas.
– ZachXBT (@zachxbt) December 20, 2022
” Users have filed complaints on various cryptocurrency exchanges. It is clear that this is not phishing and that the access keys have been stolen. 3Commas and its founder have chosen to blame their users. Delete your access keys if you have not already done so and stop using 3Commas. “
However, now that the data leak has finally been admitted, the question remains as to what will happen to the affected users. For the time being, it seems that some of them have joined together to take a class action lawsuit.