A Twitter user going by an alias was able to obtain about 100,000 API keys belonged to 3Commas customers. More than 10,000 of the keys were released by the leaker on Wednesday, and the remainder “will be published full [sic] randomly in the upcoming days,” according to the leaker.
In a tweet on Wednesday, 3Commas CEO Yuriy Sorokin stated that the company had “asked that Binance, KuCoin, and other supported exchanges revoke all the [API] keys that were connected to 3Commas” in response to the leak’s authenticity.
Application programming interface keys, or API keys, are the computer code used to identify a user.
Numerous 3Commas users have complained that their API keys have been unlawfully used to execute trades on platforms like Binance, KuCoin, and Coinbase. This has led to the leak. As CoinDesk previously reported, 3Commas confirmed that users lost at least $6 million to attackers beginning in October, but users who spoke with CoinDesk claim that the amount has at least doubled in recent weeks.
Because doing so might further expose sensitive private information, CoinDesk isn’t naming or linking to the leaker’s fictitious Twitter account.
3Commas initially told CoinDesk that phishing attacks were to blame for its users’ losses, but more than 50 of them have banded together in Telegram chat groups to insist that 3Commas or an exchange like Binance or Coinbase must have leaked their credentials.
The data leak on Wednesday is the most convincing proof to date that the credentials were not phished but rather leaked. They were able to locate their API keys among those that were shared by the leaker, according to several 3Commas users who confirmed this to CoinDesk.
As an inside job was always a possibility and was on our watch list, Sorokin of 3Commas noted in his tweet that he and his business “did everything that we could to investigate an inside job, but proof of an inside job was not found.”
Before 3Commas made its announcement, Binance CEO Changpeng Zhao asked users to disable any API keys they may have previously entered into 3Commas (from any exchange) right away.
Users of 3Commas can create trading bots that automatically carry out trades on their behalf on external cryptocurrency exchanges. Users enter the API keys they receive from those exchanges into 3Commas to give the app access to their accounts. This week’s leaker claimed that the Binance and KuCoin API keys were produced by these exchanges.