3Commas CEO confirms API key leak following warning from CZ

Published at: Dec. 28, 2022

Binance CEO Changpeng Zhao (CZ) warned his 8 million Twitter followers on Dec. 28 that he is “reasonably sure” that API key leaks are taking place at the cryptocurrency trade management platform.

I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.Stay #SAFU.

— CZ Binance (@cz_binance) December 28, 2022

The disclosure by CZ followed an incident on Dec. 9, when Binance cancelled the account of a user who complained about losing funds a day earlier. That user claimed a leaked API key tied to 3Commas was used “to make trades on low cap coins to push up the price to make profit.” Binance declined to reimburse the user. CZ tweeted that the loss was unverifiable, and if the company made up for such losses “we will just be paying for users to lose their API keys.”

Mamba, there is almost no way for us to be sure users didn’t steal their own API keys. The trades were done using API keys you created. Otherwise we will just be paying for users to lose their API keys. Hope you understand.

— CZ Binance (@cz_binance) December 9, 2022

On Dec. 11, 3Commas CEO Yuriy Sorokin claimed on the company blog that fake screenshots were circulating on Twitter and YouTube to show the company had lax security and that employees were stealing API keys. Sorokin denied the allegations in an in-depth technical analysis of the fakes:

“The person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. We’ll go through those point by point.”

Security issues first arose at 3Commas in late October. At that time, the still-functional FTX exchange issued a security alert in response to reports from users of unauthorized trades of trading pairs with the DMG coin on FTX. 3Commas and FTX determined that hackers had created 3Commas accounts to perform the trades. However, according to the 3Commas blog, “the API keys were not taken from 3Commas but from outside of the 3Commas platform.”

Related: How Binance is protecting its users with responsible trading program

In a later blogpost, Sorokin acknowledged that “we have hard evidence that phishing was at least in some part a contributory factor” in user losses.

In the meantime, a Twitter user has alleged that all of 3Commas' API keys have been leaked.

PSA3Commas API leak has been published, if you haven't already REMOVE YOUR API KEY pic.twitter.com/yEvrxyWBIq

— db (@tier10k) December 28, 2022

Now, Sorokin has confirmed the leak, addin that no proof was found that the leak was an inside job.

1. Statement from 3Commas:We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.

— Yuriy Sorokin (@YS_3Commas) December 28, 2022
Tags
Business
Hacks
Binance
Related Posts
BSC's Impossible Finance raises $7M for multi-chain DeFi incubator
Impossible Finance, a Defi protocol built on Binance Smart Chain, has completed a $7 million seed funding round backed by over 125 institutional and angel investors — with the funds going towards the development of a multi chain DeFi incubator. The seed round was led by venture capital firm True Ventures, and quantitative investment firm Alameda Research, blockchain development firm Hashed and investment firm CMS Holdings. Impossible Finance was launched on BSC on April 9, and the protocol currently offers DeFi investors token swaps, liquidity pools, and staking rewards through the Impossible Finance (IF) token The new funding will go …
Business / June 4, 2021
A Coordinated Twitter Hack is Targeting Coinbase, Kucoin, Binance, Gemini, and More
A tweet from Binance CEO Changpeng Zhao, also known as CZ, suggests that shady activity is happening over on Binance's Twitter account. Similar nefarious tweets have popped up on the accounts of Gemini, Coinbase, CoinDesk, Kucoin, @Bitcoin, and numerous other companies. Individuals such as Justin Sun, Charlie Lee, King Cobie, AngeloBTC and others have also been targeted. Each tweet involves a scam Bitcoin (BTC) giveaway or trap. CZ rang the alarm "Do not click on this link," CZ tweeted on July 15 from his personal media page, providing a link to a recent post from Binance's breached twitter account, warning …
Business / July 15, 2020
Battle-hardened Ronin bridge to Axie reopens following $600M hack
Sky Mavis, developers of the popular play-to-earn (P2E) nonfungible token (NFT) game Axie Infinity have announced that the Ronin bridge is back online three months after it was hacked for more than $600 million. The Ronin bridge is an Ethereum sidechain built for Axie Infinity, and it enables users to transfer assets between the sidechain and the Ethereum mainnet. On March 29, 173,600 Ether (ETH) and 25.5 million USD Coin (USDC) was drained from the bridge after hackers managed to gain access to private validator keys. The hack was worth more than $620 million at the time. According to the …
Blockchain / June 29, 2022
Binance recovers the majority of funds stolen from Curve Finance
Crypto exchange Binance has recovered a big part of the funds from the recent hack that targeted the decentralized finance (DeFi) protocol Curve Finance. In a tweet, Binance CEO Changpeng Zhao announced that the exchange has frozen and recovered $450,000 of the stolen assets, which is more than 80 percent of the stolen funds. According to Zhao, the hacker tried to send the funds to the exchange in various ways but was detected by Binance. The exchange is currently working to return the funds to their rightful owners. The Curve Finance team detected the hack on Tuesday and alerted their …
Blockchain / Aug. 12, 2022
Binance and Huobi freeze $1.4M in crypto linked to North Korean hackers
Cryptocurrency exchanges Binance and Huobi have again frozen accounts linked to the $100 million Harmony Horizon bridge attack on Jun. 24, 2022. Around $1.4 million worth of crypto frozen by the trading platforms came from accounts linked to the notorious Lazarus Group operating out of North Korea. The investigation was carried out by blockchain analytics firm Elliptic, according to a report shared by the firm on Feb. 14. However, the firm didn’t state what coins or tokens were frozen. Exchanges @binance and @HuobiGlobal today froze accounts containing $1.4 million stolen by North Korea’s Lazarus Group. This was made possible thanks …
Blockchain / Feb. 15, 2023