3Commas repeatedly informed users that they had been “polished” after a massive hack.
An anonymous Twitter user obtained nearly 100,000 API keys belonging to 3Commas users. While on Wednesday, more than 10,000 keys were issued by the leaker. According to them, the rest will be released completely randomly in the coming days.
Yuri Sorokin, CEO of 3Commas, confirmed the news and the authenticity of the leak in a tweet on Wednesday. Furthermore, he added that “as an immediate measure, we have asked Binance, Kucoin and other supporting exchanges to invalidate all keys associated with 3Commas.”
This comes after dozens of users reported that their API keys were illegally used to transact on the platforms. Exchanges include Binance, Kocoin and Coinbase without their consent. Earlier, as Coindesk previously reported, 3Commas has confirmed that users have lost at least $6 million to attackers since October.
On the other hand, several users have said that the amount has at least doubled in recent weeks.
However, Coindesk does not link or name the Twitter account of the pseudonymous whistleblower. Because doing so may further expose sensitive private information.
3Commas initially told Coindesk that phishing attacks were harming its customers. Although more than 50 of them have been united in Telegram group chats. Users insist that their credentials may have been leaked by exchanges like 3Commas or Binance or Coinbase.
However, Wednesday’s data provided clear evidence that the credentials were leaked rather than phished. Several 3Commas users confirmed the news to Coindesk that they could find their API keys among the keys shared by the whistleblowers.
In a tweet, 3Commas’ Sorkin noted that he and his company “did everything possible to investigate insider trading, as it was always a potential scenario and was on our watch list, but insider trading No evidence was found.”
On Wednesday afternoon, Binance CEO Chengpeng Zhao warned users before making his statement to 3Commas. If you have ever entered an API key into 3Commas, please disable it immediately.
Now, 3Commas allows users to create trading bots that automatically execute trades on their behalf on foreign cryptocurrency exchanges. Users enter the API key received from these exchanges into 3Commas to give the app access to their accounts.
Unfortunately, the whistleblower claims that the API keys released this week were generated on Binance or Kucoin.