In Brief
- 3Commas CEO Yuriy Sorokin, who had earlier denied allegations, has now acknowledged that there was an API breach from 3Commas.
- Sorokin claimed that the platform has launched a full investigation involving law enforcement.
- After multiple users claimed that their funds had been lost, Binance's CZ issued a warning.
Binance CEO Changpeng ‘CZ’ Zhao stated that he was fairly certain that 3Commas, a platform for managing cryptocurrency trades, has a widespread API key leak.
On Dec 29, CZ advised users on Twitter to disable any exchange API keys that they ever input on the 3Commas platform. Additionally, he responded to a user by saying that although Binance is trying to disable it across the site, the task is ‘tricky.’
The statement from CZ follows an incident on Dec. 9 where Binance closed the accounts of some users who complained that their funds had been drained.
Previously, a user claimed that the 3Commas platform had exposed the API key. It was apparently utilized to trade low-cap crypto assets to drive prices and profit.
In response, Binance refused to reimburse the users. CZ argued it could never be ascertained that users didn’t steal their own API keys. He said, “The trades were done using API keys you created. Otherwise, we will just be paying for users to lose their API keys. Hope you understand.”
Deniying Security Issues
On Dec. 11, 3Commas CEO Yuriy Sorokin stated that false screenshots depicting its lax security had been circulating on Twitter and YouTube. Additionally, he refuted claims that 3Commas staff members had stolen API keys.
He argued, “The person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. We’ll go through those point by point.”
In late October, 3Commas first began experiencing security concerns. In response to allegations from users about unauthorized trading on FTX at the time, the exchange also issued a security alert.
FTX and 3Commas stipulated it as a potential phishing attempt where hackers created 3Commas accounts to make trades. According to 3Commas, the API keys were not taken from their proprietary platform but from replicated websites.
Sorokin later acknowledged that evidence showed that phishing was at least a contributing factor in the API theft.
However, the crypto community on Twitter claimed that 3Commas API keys had been compromised due to a security breach.
3Commas Finally Admits to Experiencing Data Leaks
In a recent development, CEO Yuriy Sorokin took to Twitter to acknowledge for the first time that there was a data leak in his company. Sorokin explained that they had verified that the information in the files was accurate after seeing the hacker’s message. Moreover, the executive confirmed that 3Commas has now demanded the immediate revocation of all the keys from Binance, Kucoin, and all supported exchanges.
The platform chief also agreed that an inside job is always possible but found no evidence of this in the investigation.
Now, he claimed that the platform launched a full investigation involving law enforcement. Meanwhile, 3Commas’ Twitter account claims that no key made after Nov. 16 is at risk.
The platform also stated, “We urge every user to reissue their keys on the exchanges. Again, we commit to saying that no keys after Nov. 16 are at risk. In case you do not update those, they will be revoked by exchanges to ensure your account security.”
Estimated Loss Above $10 Million
On Dec. 23, a group of traders alleged that an API key from the 3Commas platform had been compromised, allowing for the theft of more than $22 million in cryptocurrency.
3Commas only came clean after the Twitter crypto community obtained and publicly posted around 100,000 of its users’ API keys.
On Dec 20, blockchain investigator ZachXBT claimed that 44 victims had lost around $14.8 million due to the stolen keys.
In his latest statement, ZachXBT said, “3Commas finally acknowledged the leak, but the damage had already been done. For weeks they have been blaming its users and accepting zero responsibility.”
Disclaimer
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.