3Commas Admits to API Database Leaks After Initial Denials

3Commas CEO Yuriy Sorokin, who had earlier denied allegations, has now acknowledged that there was an API breach from 3Commas. Sorokin claimed that the platform has launched a full investigation involving law enforcement.

A Twitter user going under an alias was able to gain almost 100,000 API keys belonging to 3Commas customers. More than 10,000 of the keys were released by the leaker on Wednesday, and the remainder “will be published complete [sic] randomly in the upcoming days,” according to the leaker.

3Commas CEO Yuriy Sorokin confirmed the authenticity of the leak in a tweet on Wednesday, adding that “as an immediate action, we have asked that Binance, KuCoin, and other supported exchanges revoke all the [API] keys that were connected to 3Commas.”

1. Statement from 3Commas:

We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.

— Yuriy Sorokin (@YS_3Commas) December 28, 2022

Numerous users have complained that their API keys have been unlawfully used to perform trades on platforms including Binance, KuCoin, and Coinbase. This has led to the breach. 3Commas verified that customers lost at least $6 million to attackers beginning in October; however, users claim that the amount has at least quadrupled in subsequent weeks.

3Commas’ Initial Denials

On December 11, Yuriy Sorokin, CEO of 3Commas, said that false screenshots purporting to show its poor security had been making the rounds on Twitter and YouTube. He also denied allegations that employees had obtained API credentials.

He argued that the person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. He further added that the firm was going to go through those point by point.

3Commas first started having security issues in late October. The exchange also released a security notice in response to user complaints at the time regarding unlicensed trading on FTX. 

FTX and 3Commas stipulated it as a potential phishing attempt where hackers created accounts to make trades. The API keys, according to 3Commas, were not obtained from their exclusive platform but rather from duplicate websites.

We investigated reports that some user accounts were compromised and investigated with FTX – we found the issue is likely related to Phishing, please read more here: https://t.co/ivdHo0IdEj pic.twitter.com/pmosstfrGi

— 3Commas (@3commas_io) October 21, 2022

Later, Sorokin stated that the theft of the API had been at least partially influenced by phishing. The crypto community on Twitter, however, said that a security flaw had exposed the API keys.

API Leak Victims Demand Refunds and Apology

Victims of the API leak are calling for refunds and an apology from the crypto trading platform for being gaslighted over the whole ordeal.

The community has been left bewildered by this surprise admission, considering that 3Commas had on Dec. 11 labeled customer reports of a leak as “false rumors shared by bad faith actors using falsified evidence.”

I want my money back – you owe us a huge apology, but right now I only care only about item #1

— Jason Simmons (@mr_bletch) December 28, 2022

You kept lying and saying this was our fault instead of taking responsibility and prevented further exploits. Are you going to refund the users now?

— CoinMamba (@coinmamba) December 28, 2022

But didn't you gaslight everyone into thinking that it was their fault for getting "phished?"

Where's the apology for people who pulled all their hair out and went bald because they thought it was their fault

— Garlam (@GarlamWON) December 28, 2022

3Commas repeatedly confirmed no hack. You’ve lost your most valuable asset – Reputation. pic.twitter.com/8BtAcUyfUZ

— CryptoAlerts365 (@CryptoAlerts365) December 29, 2022