3Commas Admits APIs Were Leaked Contrary To Prior Statements

The first hints of trouble started brewing back in October. At the time, 3Commas was accused of leaking API keys that allowed bad actors to take control of APIs sold to end users, with disastrous consequences.

An automated trading platform, 3Commas provides customers with an API that they can then connect to exchange platforms in order to allow the bot to perform split-second transactions when an opportunity for profit is sighted.

If the key used to connect the API to the platform were to be intercepted, it would allow a bad actor to essentially hijack the end user’s crypto exchange account without needing the trader’s password, e-mail, and so on.

• In October, about $6 million dollars were stolen from FTX accounts via the 3Commas API. FTX – which at the time was allegedly solvent – took the decision to reimburse the users, in spite of the fact that these particular funds were stolen through no fault of FTX’s.
• However, SBF also stressed that the refund was a one-time exception.
• Just over a month later, a similar incident occurred – this time on Binance.
• The exchange refused to refund the user, with CZ stating that there was no way to ascertain good faith on the part of the user.
• Furthermore, even if the user was certain to have acted in good faith, this would not have necessarily been a failing on Binance’s part, as phishing could have happened off of the platform entirely.Nearly three weeks later, CZ returned to Twitter, advising users to disable any 3Commas API keys on Binance, as he had reasons to believe the keys were compromised en masse.
• The tweet set off alarm bells across the community, and less than a day later, Yuriy Sorokin – the CEO and Founder of 3Commas – admitted that the leaked keys did, indeed, come from 3Commas.
• However, according to Sorokin, there is no proof of this having been an inside job.

“We did everything that we could to investigate an inside job, as it was always a possible scenario and on our watch list, but proof of an inside job was not found. Only a small number of technical employees had access to the infrastructure and we have taken action since November 19 to remove their access.”

• This is in stark contrast to declarations made two weeks earlier, where Sorokin accused victims of falsifying evidence and claimed that 3Commas is not at fault in the slightest.
• The debacle has understandably gotten traders up in arms yet again, with many waiting for more light to be shed on the situation – and hopefully, some refunds.