For a while now, 3Commas users have been posting on social media about a possible breach that led to their API keys being leaked. This resulted in unauthorized and unusual trading patterns on users’ exchange accounts, in most cases, in a bid to pump and dump coins. 3Commas had so far denied all of the rumors saying there was no breach but with irrefutable evidence now staring them in the face, the crypto trading platform has taken responsibility for the first time.
How It Started
Popular on-chain sleuth ZachXBT took to his Twitter account to share some damning evidence that had been shared with him. In the screenshots shared with his more than 340,000 followers, someone claimed to have had access to more than 100,000 API keys leaked from 3Commas, which he eventually shared with Zach.
Zach explained that he had gone on to verify the veracity of these claims by checking the API keys and multiple people in a group created for those who had their 3Commas API keys leaked had confirmed that their keys were in fact in the database that had been shared with Zach.
In a follow-up tweet, Zach posted a letter that the sender called a “Late Christmas Gift” in which they claim that there was not a breach. Rather the information had been sold to them by the staff of the 3Commas team.
A more alarming revelation was the fact that this person or group of people claim to have even more API keys. Apparently, they plan to publicly release the complete database of over 100,000 API keys. Thankfully, they plan to remove any personal or identifying information from the database in a bid to protect people.
2/ I won’t spread the db as some of the keys are potentially still active but here is what the account had to say about the leak in a post:
Unfortunately it seems they will be publishing the full database of 3Commas users soon. pic.twitter.com/XSf6GslXZ8
— ZachXBT (@zachxbt) December 28, 2022
3Commas Finally Acknowledges The Leak
In light of the exposure provided by the ZachXBT thread, the 3Commas team has taken responsibility for the data leak for the first time. Founder and CEO Yuriy Sorokin took to Twitter to acknowledge the authenticity of the claims. The CEO explained that they had been investigating an inside job but were unable to determine that the leak was from a staff member.
1. Statement from 3Commas:
We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.
— Yuriy Sorokin (@YS_3Commas) December 28, 2022
Interestingly, Sorokin explains that the small number of technical employees who had access to the data had been stripped of their access on Nov. 19, which means they had known about the leak for at least a month. But 3Commas had continued to gaslight users, accusing them of falling for phishing scams and asking them to go to exchanges when the problem had come from them all along.
“3Commas finally acknowledged the leak but the damage had already been done. For weeks they have been blaming its users and accepting zero responsibility,” ZachXBT said. Make sure to never give incompetent clowns like @3commas_io your business ever again.”
Customers and exchanges have been advised to revoke all API keys connected to the 3Commas platform. As for 3Commas, Sorokin said: “We have implemented new security measures and will not stop there; we are launching a full investigation involving law enforcement.”