3Commas Confirms Report On 100,000 API Keys Leaked

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Dec 30, 2022 02:33 am PST

As 2022 draws to a close, an anonymous Twitter user has leaked over 100,000 API Keys stolen from 3commas. In a hack last week, hackers made off with $22 million worth of cryptocurrency due to stolen API keys from 3Commas. Initially, Yuriy Sorokin, one of the firm’s co-founders, shot down these accusations and indicated that security is not a problem.

Three months ago, in late October, they began experiencing security problems. A security alert was issued in response to user allegations of suspicious activity with trading pairings, including the DMG coin on the still-active FTX exchange. Hackers had created 3Commas accounts in order to conduct the deals, as confirmed by 3Commas and FTX. But “the API keys were not obtained from them but from outside the 3Commas platform,” as the 3Commas blog puts it.

Binance CEO Sheds More Light

The CEO of cryptocurrency exchange Binance, Changpeng Zhao (CZ), tweeted to his 8 million followers on December 28 that he is “quite positive” API key breaches are occurring on the platform. He further showed sympathy for those who had suffered financial losses as a result of the disclosure of the 3Commas API key earlier this month. But he has since advised the service’s customers to turn off the use.


CZ’s revelation came after December 9 event in which Binance suspended a user’s account who had complained about losing money the day before. This user claimed “trades on low cap coins to push up the price to generate profit” were made using a stolen 3Commas API key. Binance said they wouldn’t pay the user back. CZ remarked that the loss was improbable and that the company would “simply be paying for people to lose their API keys” if it attempted to compensate for it.

On December 11, CEO Yuriy Sorokin claimed on the business blog that screenshots were circulating on Twitter and YouTube showing the company had insufficient security and that staff was obtaining API keys. Sorokin conducted a thorough technical investigation of the photographs and refuted the claims.

The Genesis Of The API Key Leaks

It all started in late November when customers began reporting unauthorized purchases made in their names. Meanwhile, a Twitter user claimed that all 3Commas’ API keys were exposed. But all the claims were refuted as there was limited evidence of proof then. Last week, a group of traders claimed that $22 million worth of cryptocurrency had been stolen through compromised API keys from the trading platform. This API vulnerability was first revealed to have originated from 3Commas on Wednesday.

Approximately 100k API keys belonging to 3Commas users were taken by an unknown Twitter user and released online, prompting the disclosure. Initially, 3Commas denied any security breach on their end, and co-founder Yuriy Sorokin stated on Twitter that users fell victim to a phishing assault.

In another post, he criticized “incompetence from big media outlets” and cast doubt on a crowd-sourced list of stolen accounts. Pay attention that most of the people alleging losses did not contact the exchange or the authorities, as Sorokin tweeted. I’m curious as to what process was used to ensure the accuracy of this report.

Once more, he insisted that there were too few cases for it to have been a 3Commas exploit. Sorokin tweeted, “Over 1 million keys are associated with 3Commas, and 100 individuals have reported troubles with their accounts.” “If the [database] was leaked, why would that happen?”

We saw the hacker’s message and can confirm that the material in the files is real,” Sorokin tweeted on Wednesday. We regret that this has progressed to this point and promise to be open and honest in all future contacts regarding this matter. Sorokin later admitted in a blog post, “we have concrete proof that phishing was at least in some part a contributory cause,” to the losses experienced by users.

Users, CZ said, should turn off their API keys in 3Commas. Sorokin asked that all supported exchanges immediately revoke keys associated with 3Commas. This includes Binance and Kucoin. In that case, hackers who have stolen API keys won’t be able to manipulate their coins on those markets.

The 3Commas Trading Environment

The 3Commas bitcoin management software offers traders various time-saving and money-making features. The project’s creators want to protect investors from harm, reduce losses, and increase gains. They developed a platform that used bots for trading and offered great benefits for users with little or no experience.

The trading bot is at the heart of the service provided; it is a web-based solution that integrates with various devices and exchanges. Automated trading software, or “bots,” make trades automatically depending on a trader’s preset criteria.

There are already over 33,000 traders utilizing the service, and the daily trading volume on the platform exceeds $10m. Additionally, the trading bot is compatible with 12 exchanges, including Coinbase, GDAX, Binance, Bitfinex, and Huobi.

That’s why it is so helpful; it allows traders to monitor orders from many exchanges at once, learn from market data, and employ tactics like stop-loss and take-profit orders with greater precision.


In a recent event, an anonymous Twitter user released ten thousand API keys that they claimed to have stolen from the 3Commas bitcoin exchange. These API keys are used by the bots to conduct automated investment and trading on the user’s behalf on cryptocurrency exchanges without asking the user to enter any details. 3Commas has since given advice and asked that all supported exchanges immediately revoke keys associated with 3Commas. This includes Binance and Kucoin. In that case, hackers who have stolen API keys won’t be able to manipulate their coins on those markets.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Jason Kent
Jason Kent , Hacker in Residence
InfoSec Expert
December 30, 2022 11:22 am

Gaining access to 3rd party platforms is why API keys exist in the first place, they allow for automated systems to exchange data and perform tasks. They are however, dangerous in the wrong hands. The challenge with this breach is the API keys aren’t for the platform that had the breach, the keys are for other platforms where tasks need to be performed. This causes some serious issues with clean up.

Typically, the keys would all just be flushed, invalidated, and new keys would need to be generated. The challenge here is the API keys aren’t owned by the 3Commas platform but rather 3Commas uses them for access to 3rd parties. This means the breach bleeds over to other platforms and since they weren’t breached, they aren’t as anxious about getting the keys removed.

Having end users deal with a data breach can be difficult, telling them they need to take action and revoke their own keys is going to be fraught with peril. Did they notify everyone they need to? Are they able to validate the keys are in fact gone and regenerated? This is going to be a difficult bit of work to police and ensure everyone is going to be safe.

Last edited 9 months ago by Jason Kent

Recent Posts

Would love your thoughts, please comment.x