After 2 months of denying a possible data leak from his platform, Yuriy Sorokin, the CEO of 3 Commas, will finally have to admit that the API keys of his customers are indeed compromised. However, the origin of the breach remains unexplained at the time of writing these lines.
3Commas API keys leaked
Yuriy Sorokin, CEO of 3Commasan automated cryptocurrency trading platform, finally ended up admitting that the API keys of its users were indeed compromised :
1. Statement from 3Commas:
We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.
— Yuriy Sorokin (@YS_3Commas) December 28, 2022
“We have seen the message from the hacker and can confirm that the data in the files is true. As an immediate action, we asked Binance, Kucoin, and other supported exchanges to revoke all keys that were connected to 3Commas. »
Here, Yuriy Sorokin refers to a Twitter user who shared part of the 3Commas databasewhich notably contained platform user API keys.
Unsurprisingly, the responses to the 3Commas CEO statement were particularly vindictive. Indeed, it has been around 2 months that an increasing amount of platform users have been complaining about unexplained actions on their account. and that 3Commas continues to deny any liability.
Although the problem is indeed confirmed today, the origin of the breach remains a mystery, according to Yuriy Sorokin:
“We did everything we could to investigate an inside job, as it was still a possible scenario and it was on our list of possibilities to watch, but it was not found. Only a small number of technicians had access to the infrastructure and we took action on November 19 to remove their access. We are sorry that this situation has become so serious and we will continue to be transparent in our communications on this subject. »
👉 Stay in control of your cryptocurrencies with the Ledger Nano S Plus
The best way to secure your cryptocurrencies 🔒
🔥 The world leader in crypto security
Losses that could have been limited
As we mentioned earlier, a number of users have started complaining about external actions on their cryptocurrency trading accounts, which Changpeng Zhaothe CEO of Binance, himself shared on Twitter:
We seen at least 3 cases of users who shared their API key with 3rd party platforms (Skyrex and 3commas), and seen unexpected trading on their accounts. If you used such a platform before, I highly recommend you to delete your API keys just to be safe. 🙏
— CZ 🔶 Binance (@cz_binance) November 14, 2022
And yet, on many occasions (here, here and there, for example), 3Commas denied the facts in lengthy blog posts, explaining that evidence and other screenshots of potential vulnerabilities in its database were fabricated or faked. 3Commas has also placed the blame on its usersaccusing them in particular of having been fooled by phishing attempts.
In addition, a survey conducted by @ZachXBT revealed on December 20 reported $14.8 million stolen from 44 victims. It should be noted that these are only injured individuals who have decided to come together to share their misadventure, and that the total number of victims is undoubtedly much higher.
2/3 Users have made complaints across different exchanges. It’s clear this is not phishing and api keys were stolen.
3Commas and their founder have chosen to blame its users. Delete the api keys if you haven’t already and stop using 3commas.
— ZachXBT (@zachxbt) December 20, 2022
“Users have filed complaints on various cryptocurrency exchanges. It is clear that it is not phishing and that the access keys have been stolen. 3Commas and its founder chose to blame their users. Delete your access keys if you haven’t already and stop using 3Commas. »
However, now that the data leak has finally been admitted, it remains to be seen what will happen to the users affected. For now, it seems that some of them have come together to take collective action in court.
👉 In The News – Mango Markets manipulator Avraham Eisenberg arrested in Puerto Rico
The all-in-one crypto app
0 fees for your 1st crypto purchase 🔥 (up to $200)
Newsletter 🍞
Receive a summary of crypto news every Monday by email 👌
What you need to know about affiliate links. This page presents assets, products or services relating to investments. Some links in this article are affiliated. This means that if you buy a product or register on a site from this article, our partner pays us a commission. This allows us to continue to offer you original and useful content. There is no impact on you and you can even get a bonus by using our links.
Investments in cryptocurrencies are risky. Cryptoast is not responsible for the quality of the products or services presented on this page and could not be held responsible, directly or indirectly, for any damage or loss caused following the use of a good or service highlighted in this article. Investments related to crypto-assets are risky by nature, readers should do their own research before taking any action and only invest within the limits of their financial capabilities. This article does not constitute investment advice.
AMF recommendations. There is no guaranteed high return, a product with high return potential involves high risk. This risk-taking must be in line with your project, your investment horizon and your ability to lose part of this savings. Do not invest if you are not ready to lose all or part of your capital.
To go further, read our Financial Situation, Media Transparency and Legal Notices pages.