Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.
Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.
Join the most important conversation in crypto and Web3 taking place in Austin, Texas, April 26-28.
An anonymous Twitter user has obtained around 100,000 API keys belonging to users of the crypto trading service 3Commas. The leaker published over 10,000 of the keys on Wednesday and says the rest “will be published full [sic] randomly in the upcoming days.”
3Commas CEO Yuriy Sorokin confirmed the authenticity of the leak in a tweet on Wednesday, adding that “as an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the [API] keys that were connected to 3Commas.”
The leak comes after dozens of users of 3Commas claimed that their API keys were used to execute trades on exchanges such as Binance, KuCoin and Coinbase without their consent. As CoinDesk previously reported3Commas confirmed that users lost at least $6 million to attackers starting in October, but that sum has at least doubled in recent weeks according to users who spoke to CoinDesk.
CoinDesk is not linking to or naming the pseudonymous leaker’s Twitter account because doing so could further expose sensitive private information.
3Commas initially told CoinDesk its users’ losses resulted from phishing attacks, but those users – over 50 of whom have organized themselves into Telegram group chats – have insisted that their credentials must have been leaked by 3Commas or an exchange like Binance or Coinbase.
Wednesday’s data dump is the clearest evidence yet that the credentials were leaked rather than phished. Multiple 3Commas users confirmed to CoinDesk that they were able to find their API keys among those that were shared by the leaker.
In his tweet, 3Commas’ Sorokin noted that he and his company “did everything that we could to investigate an inside job, as it was always a possible scenario and on our watch list, but proof of an inside job was not found.”
Before 3Commas made its statement, Binance CEO Changpeng Zhao cautioned users on Wednesday afternoon that “If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.”
3Commas allows users to set up trading bots that automatically execute trades on their behalf on third-party crypto exchanges. Those exchanges generate API keys, and users plug those keys into 3Commas in order to grant the app access to their accounts. The API keys included in this week’s leak were, according to the leaker, generated on Binance and KuCoin.
UPDATE (Dec. 28, 2020 20:13 UTC): Adds tweet from Binance CEO.
UPDATE (Dec. 28, 2020 21:08 UTC): Adds confirmation and statements from 3Commas, removes ‘Alleged’ from headline.
Sign up for Valid Points, our weekly newsletter breaking down Ethereum’s evolution and its impact on crypto markets.
By signing up, you will receive emails about CoinDesk product updates, events and marketing and you agree to our terms of services and privacy policy.
DISCLOSURE
Please note that our
and
do not sell my personal information
has been updated
.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a
strict set of editorial policies.
CoinDesk is an independent operating subsidiary of
which invests in
and blockchain
As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of
which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG
.
Sam is a reporter at CoinDesk focused on decentralized technology, DeFi and DAOs. He owns ETH, BTC and MATIC.