Over a dozen users of the crypto trading service 3Commas, which was backed by Sam Bankman-Fried’s Alameda Research, say the platform leaked their credentials and enabled attackers to run away with over $6 million in user funds.
The platform’s CEO has called these allegations “false rumors,” stating that those who lost their funds have been phished – meaning they accidentally shared their credentials with an exploiter.
But in an interview with CoinDesk on Monday, 3Commas Deputy Chief Technology Officer Artem Koltsov walked back the company’s unequivocal claim that every user who lost money was the victim of phishing or input-stealing.
“The very disappointing thing here is that nothing can be told for sure,” said Koltsov. “We know that there is phishing out there. We know that anything could happen with those API keys. We're not happy about it."
Neither side is able to prove its argument definitively: Just as 3Commas can’t state for certain that it was never the victim of a hack, its users can’t prove that they never accidentally shared their API keys.
But amid all the confusion, conflicting statements from 3Commas have invited more questions than answers.
3Commas, which is based in Estonia and calls itself the “largest automatic crypto trading platform,” claims in its Twitter bio that it processes $23 billion in monthly volume.
CoinDesk reported in September that it raised $37 million in Series B funding from Target Global, Jump Crypto and Alameda Research – the SBF-linked trading firm that imploded earlier this month along with Bankman-Fried’s FTX exchange.
The bread and butter of 3Commas is its trading bots – programs that automatically execute trades for users on exchange platforms like Binance, Coinbase and FTX.
In order for a 3Commas bot to execute trades on a platform like Coinbase, the user must give 3Commas an API key – secret credentials generated by the exchange which grant third-party platforms, like 3Commas, permission to trade on a user’s behalf.
Starting in October, several 3Commas users noticed that their accounts on Binance, Coinbase, FTX and OKX had been ransacked.
“I had an email from Coinbase saying, ‘Your account has been locked because of a security issue,’” recalled one 3Commas user, a U.K.-based entrepreneur, in an interview with CoinDesk. “I managed to go through their self-recovery process, which took about six hours. I got into the account and I could see that it’d been compromised.”
“There were dozens and dozens and dozens of trades,” the user said. “Basically, they used my API details to sell all of my assets into a low-cap, low-liquidity coin.” Altogether, this user says, he lost $200,000 to the exploit.
Over a dozen users claimed to have been the victims of similar attacks, which happened in waves throughout October and November.
In communications reviewed by CoinDesk, Help Desk agents at Binance and Coinbase confirmed to several users that their accounts had been drained by hackers via their 3Commas API keys.
After the first wave of attacks in mid-October, 3Commas published a blog post confirming that some of its users’ API keys had been stolen. According to the firm, the API keys had been used to steal over $6 million – a number that would have increased with subsequent attacks in November.
3Commas said that an internal investigation found no evidence, however, that its platform had been breached. Instead, the firm concluded that users must have inadvertently shared their API credentials with phishing websites.
“The most typical phishing scam, which was the case with the one under discussion today, involves impersonating a legitimate company via email or other means and getting the user to click on a cloned website that closely resembles the interface the user is familiar with but with a slightly different URL,” wrote 3Commas CEO Yuri Sorokin. “The user enters their log-in details, and then significant stress and pain are experienced by that user and the legitimate service they’re trying to interact with.”
Rumors of a 3Commas leak
Not everyone bought 3Commas' explanation for what happened, and rumors started to circulate online that 3Commas was using the story of a “phishing scam” to cover up an exploit.
Speculation of something more sordid grew louder on Nov. 14, when Changpeng “CZ” Zhao, the CEO of Binance, the world’s largest crypto exchange by volume, referenced 3Commas in a tweet: “We [sic] seen at least 3 cases of users who shared their API key with 3rd party platforms (Skyrex and 3commas), and seen unexpected trading on their accounts. If you used such a platform before, I highly recommend you to delete your API keys just to be safe.”
Sorokin addressed the leak rumors in a Nov. 15 blog post titled, “RE: False Rumors of API Leaks or Exposure of our Database.” At the top of the post, he reiterated that “3Commas traders are safe.”
As for the rumor that the platform had been breached, Sorokin called it “a completely baseless accusation being floated by individuals on social media who don’t understand how API key encryption actually works.”
This particular statement rubbed several 3Commas users who’d lost funds the wrong way. Users who believe their credentials had been leaked by the firm organized themselves into a Telegram group. Many in the 18-person group claimed to be seasoned crypto users, and at least two identified as software engineers.
All of those with whom CoinDesk spoke insisted they found no 3Commas phishing sites in their browser histories.
Group members with whom CoinDesk spoke say they also took added precautions – like bookmarking the official 3Commas site and configuring two-factor authentication to secure their accounts.
Phishing scams typically work by tricking users into copying and pasting sensitive credentials onto a spoof site.
One Turkish engineer who lost $300,000 to the 3Commas API incident said that he connected his Binance exchange account to 3Commas using a “Fast API” service. According to Binance, the Fast API service removes the copy-paste step entirely – it would have connected 3Commas to Binance without requiring the user to manually input his API code.
If this user never manually pasted API credentials anywhere, as he claims in the Telegram group, it is less clear how he could have been phished.
“[3Commas has] known about this for up to a month and they could have taken more decisive action,” the U.K. entrepreneur told CoinDesk. “They have put out blog posts without any direct warnings, and all of the warnings are the party line that customers have been phished for their API details. But their claim just doesn't stand up.”
Members of the “3Commas Leak Issue” group have begun to flood the company’s Discord server, Twitter page, and Telegram groups with questions, requests for more transparency, and allegations that the platform has acted dishonestly.
3Commas, for its part, banned some disgruntled users from its Discord and has started closing down Telegram chats circulating rumors that the platform was breached. “We are now obliged to close Telegram group chats as we can see that some members proving [sic] the misleading and false information, which is a criminal offence,” Sorokin tweeted.
Setting the record straight
As users continue to hound 3Commas with questions, the firm appears to be backing off its assertion that phishing was the only explanation for how users lost their funds.
In a Nov. 18 tweet, 3Commas’ first stance was unequivocal: “Over the past month, there have been multiple incidents of unauthorized trades on partner exchanges. We’ve identified that these users’ API keys were accessed through a variety of phishing and input-stealing methods.”
To back up its claim that the attack was the result of phishing rather than a leak, 3Commas posted screenshots to its blog showing that dozens of spoofed versions of its site had proliferated in recent weeks. Several of these phishing sites were apparently promoted to the top of Google above the real 3Commas site – a disappointingly common tactic in the world of crypto-phishing scams.
But in his interview with CoinDesk later this week, Kortsov was more circumspect about what actually happened. “We cannot be 100% sure. We definitely know that there are phishing sites out there. But also, whenever you ask the user, most of them will say … ‘I have never dropped my keys anywhere’” As for the denials from users, “there’s no way to check it at all,” said Kortsov.
The 3Commas API saga is ongoing. Both sides seem convinced that they are in the right, but neither can produce evidence definitively proving what happened.
3Commas has encouraged users to generate new API codes out of precaution, and it says that it updated its app to make future phishing scams more difficult to pull off.
In a statement shared with CoinDesk, 3Commas’ legal team said the firm was in the process of hiring outside experts to review its code and settle things definitively for users. In the meantime, they said, “Only a miniscule fraction of users reported abnormal activity to 3Commas. 99.9% of the API keys stored in 3Commas database have not been impacted by the attacks.”
But the legal team, like Koltsov, stopped short of making blanket claims that users were phished. According to the statement, 3Commas maintains it is not to blame for the stolen funds “to our best current knowledge.”
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.