3Commas Admits to API Database Leaks After Initial Denials

3Commas CEO Yuriy Sorokin, who had earlier denied allegations, has now acknowledged that there was an API breach from 3Commas. Sorokin claimed that the platform has launched a full investigation involving law enforcement.

A Twitter user going under an alias was able to gain almost 100,000 API keys belonging to 3Commas customers. More than 10,000 of the keys were released by the leaker on Wednesday, and the remainder “will be published complete [sic] randomly in the upcoming days,” according to the leaker.

3Commas CEO Yuriy Sorokin confirmed the authenticity of the leak in a tweet on Wednesday, adding that “as an immediate action, we have asked that Binance, KuCoin, and other supported exchanges revoke all the [API] keys that were connected to 3Commas.”

Numerous users have complained that their API keys have been unlawfully used to perform trades on platforms including Binance, KuCoin, and Coinbase. This has led to the breach. 3Commas verified that customers lost at least $6 million to attackers beginning in October; however, users claim that the amount has at least quadrupled in subsequent weeks.

3Commas’ Initial Denials

On December 11, Yuriy Sorokin, CEO of 3Commas, said that false screenshots purporting to show its poor security had been making the rounds on Twitter and YouTube. He also denied allegations that employees had obtained API credentials.

He argued that the person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. He further added that the firm was going to go through those point by point.

3Commas first started having security issues in late October. The exchange also released a security notice in response to user complaints at the time regarding unlicensed trading on FTX. 

FTX and 3Commas stipulated it as a potential phishing attempt where hackers created accounts to make trades. The API keys, according to 3Commas, were not obtained from their exclusive platform but rather from duplicate websites.

Later, Sorokin stated that the theft of the API had been at least partially influenced by phishing. The crypto community on Twitter, however, said that a security flaw had exposed the API keys.

API Leak Victims Demand Refunds and Apology

Victims of the API leak are calling for refunds and an apology from the crypto trading platform for being gaslighted over the whole ordeal.

The community has been left bewildered by this surprise admission, considering that 3Commas had on Dec. 11 labeled customer reports of a leak as “false rumors shared by bad faith actors using falsified evidence.”