Skip to content

Finally, 3Commas Admits API Hack on Their End

When asked about the security breach, 3Commas first denied any fault on its end, with co-founder Yuriy Sorokin suggesting on Twitter that a phishing attempt was to blame, but admitted the hack later.

Photo by Brett Jordan / Unsplash

Third Comma Corporation Admits It Caused Hacks Through An API Vulnerability

Two weeks ago, a group of investors claimed that $22 million in crypto currency had been taken from the trading platform 3Commas due to hacked API keys. As of this past Wednesday, 3Commas had come clean about being the company responsible for the API vulnerability.

The announcement was issued after a Twitter user with no identity or affiliation revealed over 100,000 API keys relating to 3Commas users.

When asked about the security breach, 3Commas first denied any fault on its end, with co-founder Yuriy Sorokin suggesting on Twitter that a phishing attempt was to blame.

On Wednesday, however, Sorokin tweeted (1):

"We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas."

What is an API?

Using 3Commas, users may connect numerous Binance or crypto currency exchange accounts to trading bots. This is achieved through APIs (application programming interfaces), the standardized procedures that allow various software components to interact with one another and carry out activities.

The premise is that thinking about one's profession is unnecessary mental labor for humans. As a replacement, everything is handled promptly and mechanically by code. So long as malicious actors do not gain access to the APIs.

An earlier Twitter post by blockchain investigator @ZachXBT claimed to confirm the existence of 44 victims who had collectively lost $14.8 million due to compromised API keys belonging to 3Commas.

In response, Sorokin wrote on Twitter,

"not from 3Commas. you would've seen millions of cases, not a hundred," he reasoned if the stolen API keys had come from 3Commas.

On a different thread (1), he criticized the "incompetence from big media sources" and cast doubt on the integrity of a community spreadsheet of hacked accounts.

As tweeted by Sorokin, note that the vast majority of users who reported losses did not contact the exchange's customer care or the authorities.

"How did you make sure that this was true?"

3Commas Had been Denying Any Lapse At their End

Yet again, he insisted that there were too few cases for it to be a 3Commas exploit. Sorokin tweeted that

"over 1 [million] keys are connected to 3Commas," and that "100 users" have reported problems with their accounts. Why would that take place if the [database] was compromised?"

For weeks [3Commas] have been blaming its users and admitting zero accountability," ZachXBT tweeted today after being acquitted.

Another 3Commas customer who lost money commented (2),

"You kept lying and saying this was our fault instead of taking responsibility and preventing further exploits. Are you going to issue users refunds at this time?"

Not the First time 3Commas Is Under Fire

Not that this is the first time 3Commas's API handling has been questioned. Sam Bankman-Fried agreed to refund $6 million to clients harmed by a phishing scheme using 3Commas around a month before FTX filed for bankruptcy.

Binance CEO Changpeng Zhao was "reasonably sure" on Wednesday that 3Commas had "widespread API key leaks," according to a tweet he sent out.

CZ also mentioned that 3Commas API keys should be turned off. This is also the advice given by 3Commas.

"We have asked Binance, Kucoin, and other supported exchanges to immediately revoke all keys associated with 3Commas," Sorokin said in a tweet.