Last week, a group of traders said that $22 million worth of cryptocurrency was stolen through hacked API keys from the 3Commas trading platform. On Wednesday, 3Commas admitted that it was the source of the API leak.
The announcement came after an anonymous Twitter user obtained about 100,000 API keys belonging to 3Commas users and posted them online.
3Commas initially insisted that there was no security problemCo-founder Yuri Sorokin suggested repeatedly on Twitter that a phishing attack caused users to give up their data.
But Sorokin tweeted on Wednesday: “We saw the hacker’s message and can confirm that the information in the files is correct… We regret that this has reached this point and will remain transparent in our communication about the situation.”
1. Statement from 3Commas:
We’ve seen the hacker’s message and can confirm the information in the files is correct. As an immediate measure, we have asked Binance, Kucoin, and other supported exchanges to revoke all keys associated with 3Commas.
3Commas is a platform that allows users to link multiple crypto exchange accounts – such as those on Binance – to the automated trading software. This is all done via Application Programming Interfaces (APIs), which are the standard mechanisms that allow separate software components to communicate with each other and perform tasks. The idea is that people don’t have to do the hard work of thinking about their careers. Instead, everything is done instantly and automatically via code.
So that the wrong people can access the APIs.
Blockchain advice @tweet He previously said on Twitter that he investigated a group of 44 victims who lost a total of $14.8 million through API keys stolen from 3Commas.
In response, Sorokin tweeted, “If you’re a victim, it means your keys were leaked in some way,” but “not from 3Commas.” Had the leaked API keys been from 3Commas, “you would have seen millions of instances, not hundreds,” he said.
If you are a victim – it means that your keys have been leaked in some way. Not from 3Commas, otherwise you would see millions of instances, not a hundred. Browser extensions, hackers, and all kinds of malware exist.
in a Separate topicHe criticized the “incompetence of major media sources” and questioned the validity of a mass spreadsheet of hacked accounts. “Be aware that the majority of users who report losses have not even opened a support ticket with the exchange and have not gone to the police,” Sorokin wrote on Twitter. How was this information verified?
Again it is claimed That there are very few incidents of abuse of 3Commas. There are more than 1 [million] keys linked to 3Commas, with almost 100 users reporting issues with their accounts,” Sorokin tweeted.. “Why is this happening again [database] leaked?
Today, ZachXBT tweeted confirming that “within weeks [3Commas] He blamed his users and took no responsibility.”
“You keep lying and saying it was our fault instead of taking responsibility and preventing further exploitation,” he adds. @tweetAnother 3Commas user said he lost money. “Are you going to refund users now?”
This is not the first time that 3Commas and its API management have come under scrutiny. About a month before FTX filed for bankruptcy, Sam Bankman-Fried agreed to refund $6 million to customers affected by what was described as a phishing scam involving 3Commas.
On Wednesday, Binance CEO Changpeng Zhao tweeted that he was “reasonably confident” that there were “extensive API key leaks” from 3Commas.
I’m pretty sure there have been widespread API key leaks from 3Commas. If you have previously entered an API key on 3Commas (from any exchange), please deactivate it immediately.