An anonymous Twitter user yesterday posted a set of 10,000 API keys allegedly obtained from the 3Commas cryptocurrency trading platform.
3Commas bots use these API keys to generate profits for clients by interacting with cryptocurrency exchanges without requiring account credentials, to perform automated investments and trading actions on behalf of users.
The Twitter user claimed the leaked set only represents 10% of the 100,000 API keys he holds and said he plans to release them all in the coming days.
3Commas has reviewed the leaked data and confirmed today that the files contain valid API keys. As a result, the platform now urges all supported exchanges, including Kucoin, Coinbase, and Binance, to revoke all keys connected to 3Commas.
Users are advised to self-reissue their keys on all linked exchanges and contact 3Commas Support for advice on further action on a case-by-case basis.
Additionally, the platform claims to have investigated whether the leak was an inside job, but found no evidence.
“Only a small number of technical employees had access to the infrastructure, and we have taken steps since November 19 to remove their access,” says the Announcing 3Commas on Twitter.
“Since then, we have implemented new security measures, and we will not stop there; we are launching a full investigation in which law enforcement will be involved,” the company added.
Unfortunately, 3Commas took its time in confirming the breach and many of its users have already lost funds over the past few months after seemingly unauthorized transactions originating from their accounts.
The first reports of unauthorized transactions triggered via 3Commas arrived in October 2022 and peaked in recent weeks.
In November, large amount holders reported losing approximately $6,000,000 worth of crypto after 3Commas somehow leaked their credentials.
All the while, the trading platform has ruled out the possibility of a breach, suggesting that users who reported these issues must have fallen victim to phishing attacks or used unofficial trojaned apps.
On December 10, 2022, after several subsequent reports of unauthorized transactions using leaked API keys, 3Commas issued a survey update claiming they couldn’t find any evidence of a compromise on their systems.
The next day, the platform published a new post for dismiss claims about its employees who steal users’ API keys to siphon off user assets.
3Commas users whose unauthorized transaction reports were rejected by the company are now require full refunds.
At the time of publication, 3Commas has made no statement regarding possible compensation. BleepingComputer has contacted the company for clarification in this regard and is awaiting a response.