For several months now, the community has been discussing the leak of API keys from the 3Commas platform. The latter acknowledged the data compromise only in December 2022, although the first complaints date back to October.
The HAPI decentralized security protocol team shared a detailed analysis of the incident with Cryplogger. Experts assessed the damage to clients, explained how assets were stolen from users of centralized platforms, and talked about a class action lawsuit that they are preparing to file against 3Commas in the United States.
🔥HAPI Labs is excited to unveil a new investigation into @3commas_io incident!
✍️Full analysis and investigation into 3Commas here: https://t.co/jprPHOu51w
small thread 🧵 pic.twitter.com/GJFf4WGajX
— HAPI LABS | Alerts (@hapi_labs) January 19, 2023
‘False rumors’ turned out to be true
In October 2022, 3Commas, together with the FTX cryptocurrency exchange team, reported the compromise of a number of API keys, which were subsequently used to make unauthorized transactions with the DMM Governance (DMG) token.
Some clients of the algorithmic trading platform have reported that keys have been used to transact on Binance, KuCoin, and Coinbase without their consent.
Representatives of 3Commas then called this information “false rumors.”
There have been some false rumors shared by bad faith actors using falsified evidence to claim 3Commas leaked users’ API keys. These rumors were related to fake screenshots of Cloudflare logs that have been shared on Twitter and Youtube.
The full article: https://t.co/KVOF2BWlYn pic.twitter.com/qJ52CvnVg0
— 3Commas (@3commas_io) December 11, 2022
The platform team only confirmed the leak of user data in December, when the head of Binance, Changpeng Zhao, warned about the relevant issues.
It was reported that about 100,000 API keys fell into the hands of attackers. 10,000 of them they placed in the public domain and promised to publish the rest later.
3Commas confirmed the relevance of the information leaked to the network.
1) We have seen the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas. pic.twitter.com/ZMuzCqeF1j
— 3Commas (@3commas_io) December 28, 2022
According to preliminary data from HAPI, “dozens of people” were injured in the incident. Analysts noted that the real number of victims could be in the thousands, and their cumulative damage could be estimated at tens of millions of dollars.
What is 3Commas?
3Commas is a digital asset algorithmic trading service launched in 2017. According to HAPI, the company registered in Estonia was founded by immigrants from Russia – Yuri Sorokin, Mikhail Goryunov and Yegor Razumovsky.
The trading bots of the platform work with many cryptocurrency exchanges. In particular, 3Commas is a partner of Binance and FTX, which is now in the process of bankruptcy.
The company also received funding from another FTX Group affiliate, the infamous Alameda Research.
On site 3Commas claims that the platform “takes user security seriously.”
At the same time, the first complaints of users about the compromise of API keys in October 2022 were either ignored by the project team or called rumors. In November, dozens of people reported problems and the situation “got out of control.”
The management of 3Commas stated that within the limits of internal investigation did not reveal evidences of participation in leak of data of employees.
HAPI claims that shortly before the incident, as well as during the period when the first complaints appeared, some of the developers left the company. Analysts managed to contact some of them – on condition of anonymity, they confirmed that one of the insiders could “merge” user keys.
“3Commas has a completely closed code, closed software, closed development. There are no audits. For five years of operation of the official broker Binance, the official partner of FTX – not a single public audit. […] Everything we learn, we learn only from retired developers and victims. […] And this is against the backdrop of statements about a huge trading volume through the software they provide – $ 23 billion monthly, to be exact, ”a HAPI representative told Cryplogger.
In addition, one of the former members of the platform team said that in the days of the first complaints from users, the co-founders of the company, in conversations with employees, allegedly called the situation critical and talked about the “end of 3Commas”.
However, over time, the rhetoric has changed. The service denied all accusations for months, alluding to the negligence of its customers.
How did the attackers steal user funds?
According to analysts, attackers used third-party accounts on centralized platforms to place orders to sell low-liquid assets at a high price.
Then, through the accounts of the victims, to which they received access via the API, the criminals exchanged order book these assets are highly liquid.
Experts noted that it is not only about counter trading, but also about washing trade. As an example, they cite a situation in which, before the attack, the value of the victim’s liquid assets was estimated at 50 BTC, and after it, when the Pump and Dump scheme went through, it was 7 BTC. At the same time, 43 BTC “settle” on the other side.
HAPI emphasized that, having access to users’ API keys, attackers bypassed 2FA and other security tools available on exchanges. Analysts also noted that it is not known whether 3Commas encrypted client data – due to the closed nature of the service architecture, it is impossible to verify this.
Incident in numbers
According to HAPI:
- as of January 10, 2023, the number of affected users was 86 people from 32 countries;
- the confirmed amount of damage to 3Commas customers is estimated at $27,285,845. The smallest amount of losses is about $500, the largest is $5.9 million;
- most of the victims are citizens of the United States (21), Great Britain (11), as well as Ukraine, Canada and Thailand (4 for each jurisdiction). 19 cases are associated with EU residents;
- among the victims, the most users are Binance (47), KuCoin (28), Coinbase Pro (10) and Bittrex (1).
Analysts noted that six users lost more than a million dollars each. In total, they account for about 67% of the total damage, or $18.3 million.
Binance users lost the most money — about $23.5 million in total. KuCoin and Coinbase Pro accounted for $2.1 million and $1.5 million, respectively.
In terms of countries, the residents of Thailand suffered the largest damage — over $6.4 million. In second place were citizens of the United Kingdom ($5.5 million), and in third place were residents of the EU ($4.8 million).
In October 2022, there were only four cases of theft of funds with a total user loss of $470,000. In November, the number of victims confirmed by analysts rose to 24. Their losses are estimated at $14.9 million.
“It looks like all the whales were cleaned out in November,” the NAPI noted.
The vast majority of compromised API keys were generated in 2022 (about 78% of the total). However, four cases are related to keys generated in 2020, and two are related to keys created in 2019.
The role of exchanges
The 3Commas service supports more than two dozen exchanges, however, only users of Binance, KuCoin and Coinbase Pro were affected, there is also one confirmed case with a Bittrex client.
“Maybe the problem is not only in 3Сommas? Indirectly, we can associate this fact with the settings of exchanges for managing user API keys. Most exchanges deactivate trader keys by default after 3-6 months. In the case of Binance, the leak affected keys generated more than three years ago,” HAPI noted.
In November 2022, the Binance team was already aware of the incident, according to analysts. In early December, HAPI specialists turned to the exchange with a request to assist in the investigation, but the platform representative refused to join the initiative and advised to contact law enforcement agencies.
The company emphasized that the affected exchanges had the opportunity to reduce the damage to users. In particular, they could revoke API keys, freeze the accounts involved until the circumstances were clarified, or contact cybersecurity specialists.
Instead, Binance, and later KuCoin with Coinbase, did not inform customers about the need to deactivate keys for a long time, despite numerous complaints and suspicions of data leakage.
At the moment, all exchanges have already disabled API keys from 3Commas, HAPI explained.
HAPI confirmed that on December 29, 2022 FBI joined the investigation into the incident. 3Commas fell under the scope of the department, since US citizens prevail among the affected users, and some of the company’s servers are located in the United States.
The considerable estimated amount of damage to the platform’s customers and the fact that the affected users intend to file a class action lawsuit against 3Commas also played a role.
“Will the FBI have a strong impact? I’m not sure about this. Especially if 3Commas offers people partial compensation or something. But the Cyber Police of Ukraine was in touch with the FBI. […] A group of Americans, which is preparing a class action lawsuit, invited affected users from Ukraine, the Baltic countries, the EU, the UK to join. Of course, a class action lawsuit in the United States is intended to protect US citizens, but victims from other countries add weight to it. Will it help victims from other jurisdictions? I think it will help, ”said HAPI.
Representatives from 3Commas and Binance were unable to promptly comment on the leaked user data. Cryplogger will update the material when it receives responses from the listed companies.
Read Cryplogger bitcoin news in our Telegram – Cryptocurrency news, courses and analytics.
Found a mistake in the text? Select it and press CTRL+ENTER
Cryplogger Newsletters: Keep your finger on the pulse of the bitcoin industry!