3Commas Denies Rumors of Breach That Caused Millions in Losses

Vignesh Karunanidhi
3Commas Denies Rumors of Breach That Caused Millions in Losses
Source: Empirica

3Commas denies claims of an API credential leak that caused millions in losses for users. WatcherGuru reported earlier in October about Contra trading that cost a user over $1.6 million in BTC, ETH, FTT, and other tokens.

Users claim that cryptocurrency exchange FTX informed them that the API key of 3commas had been compromised. The cryptocurrency exchange added that instances like these were not exceptional occurrences. 3commas, however, asserts that there was no leak.

In October, FTX took no action to stop additional users from being attacked via the trading API, despite the victim filing a police report. Users lost over $6 million in funds combined and accused 3Commas of leaking credentials and enabling attackers to flee with the funds. However, the allegations were branded as “false rumors” by the company CEO.

3Commas CEO stated users were victims of phishing

The allegations against 3Commas were denied by the company’s CEO, Yuriy Sorokin. Sorokin stated that the users who lost their funds were victims of a phishing attack. However, Deputy Chief Technology Officer Artem Koltsov had something to say about the event in an interview with CoinDesk.

“The very disappointing thing here is that nothing can be told for sure. We know that there is phishing out there. We know that anything could happen with those API keys. We’re not happy about it,” said Koltsov.

The statements from both parties are ambiguous, as they don’t help in drawing a conclusion. 3Commas is unable to say with certainty that there was no hack. On the flip side, the users are not able to make it clear that they never fell victim to a phishing attack or shared their API keys.

Binance CEO CZ also shared his thoughts on this event in one of his recent tweets.

CZ highlighted at least three cases where users shared their API and witnessed unauthorized trades. He also urged users to delete their API keys and stay safe.