An anonymous Twitter user stole approximately one hundred thousand API keys for the 3Commas cryptocurrency trading platform. The leaker posted over 10,000 keys on Wednesday and claims the remainder will be published in the next few days.
In a tweet published on Wednesday, 3Commas CEO Yuriy Sorokin acknowledged the leak’s veracity and requested that Binance, Kucoin, and other supporting exchanges withdraw all the [API] keys connected to 3Commas.
1. Statement from 3Commas:
We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.
— Yuriy Sorokin (@YS_3Commas) December 28, 2022
Dozens of 3Commas customers have complained that their API keys were stolen and used to trade on unapproved platforms, including Binance, KuCoin, and Coinbase. The $6 million that 3Commas acknowledged consumers lost to attackers beginning in October has reportedly at least quadrupled in recent weeks.
While 3Commas informed CoinDesk that its users’ losses were due to phishing attempts, more than 50 individuals who have banded together in Telegram group conversations claim that 3Commas or an exchange like Binance or Coinbase must have released their passwords.
The information dump provides the most convincing proof that the credentials were released rather than phished. Several CoinDesk users who use 3Commas have confirmed that their API keys were among those leaked.
Sorokin of 3Commas tweeted that his company did everything to examine an inside job because it was always a likely scenario and on the watchlist, but proof of an inside job was not uncovered.
Binance CEO Changpeng Zhao warned customers on Wednesday afternoon, before 3Commas issued its announcement, to deactivate it immediately if they had already entered an API key into 3Commas from any exchange.
I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.
Stay #SAFU.
— CZ 🔶 Binance (@cz_binance) December 28, 2022
A user of 3Commas can set up a trading bot to make crypto transactions on their behalf on external exchanges. User accounts on these marketplaces are authenticated by API keys, which are then entered into 3Commas. This week’s dump allegedly contains API keys created on Binance and KuCoin.