A group of traders last week said that $22 million worth of crypto had been stolen through compromised API keys from the trading platform 3Commas. On Wednesday, 3Commas admitted it was the source of that API leak.
The announcement came after an anonymous Twitter user obtained around 100,000 API keys belonging to 3Commas users and published it online.
3Commas had initially insisted there was no security issue on its end, and co-founder Yuriy Sorokin repeatedly suggested on Twitter that a phishing attack caused users to give up their data.
But on Wednesday, Sorokin tweeted: “We saw the hacker’s message and can confirm that the data in the files is true... We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation."
3Commas is a platform that lets users link multiple crypto exchange accounts—such as those kept on Binance—to automated trading software. This is all done via APIs (application programming interfaces), the standardized mechanisms that enable separate software components to communicate with each other and perform tasks. The idea is that humans don’t have to do the hard work of thinking about their trades. Instead, it's all done instantly and automatically via code.
Until the wrong people get access to the APIs.
Blockchain sleuth @ZachXBT previously said on Twitter that he had verified a group of 44 victims who lost a total of $14.8 million through API keys stolen from 3Commas.
In response, Sorokin tweeted that “If you are a victim, then it means that somehow your keys were leaked,” but "not from 3Commas." If the leaked API keys had been from 3Commas, "you would've seen millions of cases, not a hundred," he reasoned.
In a separate thread, he blasted “incompetency from big media sources” and questioned the validity of a crowdsourced spreadsheet of compromised accounts. “Pay attention that the majority of the users reporting losses didn't even open a support ticket with the exchange, and didn't go to the police,” Sorokin tweeted. “How was this information verified?”