FTX’s sister company, Alameda-backed Bitcoin exchange 3Commas, came to the fore with identity theft on November 23. The platform is currently saying that the rumors are unfounded, making sure that the data has not been leaked.
Users reported that their funds were lost on the Alameda-backed Bitcoin exchange
Exchange users currently suspect that 3Commas has leaked sensitive API credentials. However, the firm insists that it is not responsible for the stolen funds “to our current knowledge”. Dozens of users of the Bitcoin exchange claim that the platform leaked their credentials and that the attackers got away with over $6 million in user funds. The 3Commas CEO described these claims as “false rumors”. He stated that those who lost their funds accidentally shared their credentials with a hacker.
To @0xLuki @LyraMagician @Shaifing and every other concerned 3Commas user.
1) Dear Clients, based on our internal investigation, the engineering team has conducted a rigorous analysis to look for any possibility of the leakage or a hack and we have not found any evidence.
— Yuriy Sorokin (@YS_3Commas) November 19, 2022
Artem Koltsov, VP of Technology at 3Commas, dismissed the company’s firm claim that every user who loses money is the victim of phishing or login theft. “The biggest disappointment here is that nothing can be said with certainty,” Koltsov said. “We know there is phishing out there. We know anything can happen with these API keys. We are not satisfied with that,” he added.
It is currently not possible to clearly prove the argument on either side. Just as 3Commas cannot definitively state that they were not hacked, neither can their users prove that they never accidentally shared their API keys. But in the midst of all this confusion, conflicting statements from 3Commas have invited more questions than answers.
Backstage
The Alameda-backed Bitcoin exchange claims in its Twitter bio that it processes $23 billion in monthly trading volume. Reports in September showed that it had raised $37 million in Series B funding from Target Global, Jump Crypto and Alameda Research. 3Commas’ main source of income is trading bots. They are programs that automatically execute trades for users on exchange platforms such as Binance, Coinbase, and FTX.
In order for a 3Commas bot to trade on exchanges like Coinbase, the user must provide 3Commas with an API key. These are secret credentials created by the exchange. As of October, several 3Commas users noticed that their accounts on Binance, Coinbase, FTX and OKX were searched. One user said he lost $200,000 due to the hack from the exchange.
Meanwhile, Binance CEO CZ also included 3Commas in his tweets about FTX on November 14. It advised users to delete API keys against security vulnerabilities:
We have seen at least 3 cases of users sharing their API key with 3rd party platforms (Skyrex and 3commas) and making unexpected trades on their accounts. If you’ve used a platform like this before, I highly recommend deleting your API keys to be safe.
36551
