3Commas' API compromised.
N2K logoJan 3, 2023

Cryptocurrency trading service 3Commas admits victimization in breach at the hands of an anonymous hacker.

3Commas' API compromised.

Estonia-based cryptocurrency trading service 3Commas fell victim to a breach at the hands of an anonymous Twitter user that obtained 100,000 API keys belonging to users of 3Commas.

About the 3Commas breach.

Decrypt reports that $22 million in crypto had been stolen through 3Commas API keys that were compromised, and the company confirmed that it was the source of the leak on Wednesday of last week.

Who’s to blame for the cryptocurrency trading firm's incident?

The company insisted that the issue lies within phishing attacks that caused users to give up their data. Yuriy Sorokin, co-founder of 3Commas, pushed this idea until Wednesday, when he confirmed on Twitter that the hacker’s data is accurate and that “We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation." CoinDesk reports that the anonymous Twitter user identifying themselves as the hacker published more than 10,000 of the API keys last Wednesday, and says that “will be published full [sic] randomly in the upcoming days.”

Action being taken at 3Commas.

Frustration, understandably, has been apparent in victims of the 3Commas leak, CoinTelegraph reports, as many have called out Sorokin for denial of the hack. Questions of refunds and apologies have been plentiful, with some users saying the whole company should be shut down and held accountable. CoinDesk reports that the FBI is now investigating the breach, with users revealing that they were contacted by FBI agents.

Industry commentary on 3Commas.

Jason Kent, Hacker in Residence at Cequence Security, discusses the hack and its implications:

"Gaining access to 3rd party platforms is why API keys exist in the first place, they allow for automated systems to exchange data and perform tasks. They are, however, dangerous in the wrong hands. The challenge with this breach is the API keys aren’t for the platform that had the breach, the keys are for other platforms where tasks need to be performed. This causes some serious issues with clean up.

"Typically, the keys would all just be flushed, invalidated, and new keys would need to be generated. The challenge here is the API keys aren’t owned by the 3Commas platform but rather 3Commas uses them for access to 3rd parties. This means the breach bleeds over to other platforms and since they weren’t breached, they aren’t as anxious about getting the keys removed.

"Having end users deal with a data breach can be difficult, telling them they need to take action and revoke their own keys is going to be fraught with peril. Did they notify everyone they need to? Are they able to validate the keys are in fact gone and regenerated? This is going to be a difficult bit of work to police and ensure everyone is going to be safe."