Crypto platform 3Commas admits hackers stole API keys

An anonymous Twitter user published yesterday a set of 10,000 API keys allegedly obtained from the 3Commas cryptocurrency trading platform.

3Commas bots use these API keys to generate profit for the customers by interacting with cryptocurrency trading exchanges without requiring account credentials, to perform automated investment and trading actions on behalf of the users.

The Twitter user claimed the leaked set is just 10% of the 100,000 API keys they hold and said that they plan to publish them all in the following days.

3Commas looked into the leaked data and confirmed today that the files contain valid API keys. As a result, the platform now urges all supported exchanges, including Kucoin, Coinbase, and Binance, to revoke all keys connected to 3Commas.

Users are advised to reissue their keys on all linked exchanges by themselves and contact 3Commas support to receive advice on subsequent actions on a case-by-case basis.

Additionally, the platform claims it has investigated the possibility of the leak being an inside job but found no evidence of that.

“Only a small number of technical employees had access to the infrastructure, and we have taken steps since November 19 to remove their access,” mentions the 3Commas announcement on Twitter.

“Since then, we have implemented new security measures, and we will not stop there; we are launching a full investigation in which law enforcement will be involved,” the company added.

Unfortunately, 3Commas took its time to confirm the breach and many of its users have already lost funds over the past few months after seemingly unauthorized trades coming from their accounts.

Previous denial

The first reports of unauthorized transactions triggered via 3Commas came in October 2022 and culminated in recent weeks.

In November, holders of significant amounts reported that they lost roughly $6,000,000 worth of crypto after 3Commas somehow leaked their credentials.

Throughout this time, the trading platform dismissed the possibility of a breach, suggesting that users who reported these issues must have fallen victim to phishing attacks or used unofficial trojanized apps.

On December 10, 2022, after several subsequent reports about unauthorized transactions using leaked API keys, 3Commas published an investigation update claiming that they could find no evidence of a compromise on their systems.

The next day, the platform published a new post to reject claims about its employees stealing user API keys to siphon user assets.

3Commas users whose reports about unauthorized transactions had been rejected by the company are now demanding full refunds.

At the time of publishing, 3Commas has not made any statement about a possible compensation. BleepingComputer has contacted the company for clarification in this regard and is waiting for a reply.