By
Chimamanda U. Martha
April 18th, 2024
The company’s CEO has not confirmed whether or not he will be making a refund to the affected victims but said as an immediate course of action, the platform has requested all partner exchanges to disable their API keys linking to its systems.
For the past few weeks, crypto Twitter has been calling out 3Commas, an automated trading platform with respect to the leak of its Application Programming Interface (API) that has caused the loss of funds for users. After much denials and blame shifting, the platform’s Chief Executive Officer, Yuriy Sorokin has come out to admit the leak was from the platform.
As a protocol, 3Commas helps users to connect to third-party exchanges like Binance, KuCoin, and the like where highly functional codes can be used to place trades in an automated manner. The connections to these centralized exchanges are through its APIs of which hundreds of users’ keys were compromised.
Popular on-chain Sleuth, ZachXBT said he verified as many as 44 3Commas users who lost a cumulative of $14.8 million through the API keys that were stolen from the platform. When the report first made the rounds, Sorokin argued that any form of leak meant that users themselves had given up their API keys through a targeted phishing attack.
It's not about the terminology, it's about the roof of the problem. Which is – API keys issues by exchanges were leaked. Has nothing to do with 3Commas API, period. We are trying to help as much as we can – push people to work with the exchanges and law enforcement.
— Yuriy Sorokin (@YS_3Commas) December 23, 2022
Considering the fact that 3Commas is used by millions of traders, he posited that a hack on its database will involve a relatively larger number of victims than are being reported on Twitter.
“If you are a victim – then it means that somehow your keys were leaked. Not from 3Commas, as otherwise, you would’ve seen millions of cases, not a hundred. browser extensions, stealers, and all kinds of malware are out there.”
In a dramatic twist of events, Sorokin finally admitted that the leak originated from its platform and that he was sorry for how things have shaped out so far.
3Commas API Leak: Next Course of Action
Following the admittance of its role, Sorokin and the 3Commas team have been receiving more intense backlash from the community, especially with the fact that the trading outfit is known for related exploits in the past.
A Twitter user, CoinMamba who also doubles as a 3Commas customer demanded a refund for all affected victims.
“You kept lying and saying this was our fault instead of taking responsibility and preventing further exploits. Are you going to refund the users now?” he demanded.
Sorokin has not confirmed whether or not he will be making a refund to the affected victims but said as an immediate course of action, the platform has requested all partner exchanges to disable their API keys linking to its systems.
“We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas,” he tweeted.
He said in its investigations, evidence that the hack was an inside job was not found and that it will continue to coordinate with law enforcement agents as it launches a full investigation into the incident.
Unlike how he has handled the situation prior to this time, Sorokin said he will be more forthcoming in its communications moving forward.