Binance CEO Changpeng Zhao (CZ) warned his 8 million Twitter followers on Dec. 28 that he is “reasonably sure” API key leaks are taking place on the cryptocurrency trading management platform.
I'm reasonably sure there are widespread 3Commas API key leaks. If you've ever put an API key on 3Commas (from any exchange), disable it immediately.
Stay #LINE.
— CZ Binance (@cz_binance) December 28, 2022
The CZ disclosure followed an incident on Dec. 9, when Binance canceled a user's account who complained about losing funds a day before. That user claimed that a leaked API key linked to 3Commas was used “to transact in small-cap coins to increase the price and make a profit.” Binance refused to refund the user. CZ tweeted that the loss was not verifiable, and if the company made up for such losses, "we will simply pay for users to lose their API keys."
Mamba, there's almost no way we can be sure that users didn't steal their own API keys. The exchanges were made using the API keys you created. Otherwise we will only pay for users to lose their API keys. I hope you understand.
— CZ Binance (@cz_binance) December 9, 2022
On December 10, 11, CEO of 3Commas, Yuri Sorokin claimed on the company blog that fake screenshots were circulating on Twitter and YouTube purporting to show that the company had poor security and that employees were stealing API keys. Sorokin denied the accusations in an in-depth technical analysis of the images:
“The person who created the screenshots did a good job with an HTML editor, but they made some key mistakes that easily prove their claims false. We will review them point by point.”
Security issues first surfaced at 3Commas in late October. At that time, the still functional The FTX exchange issued a security alert in response to user reports of unauthorized exchanges of trading pairs with the DMG coin on FTX. 3Commas and FTX determined that the hackers had created 3Commas accounts to conduct the transactions. However, according to the 3Commas blog, "the API keys were not taken from 3Commas but from outside the 3Commas platform."
Related: How Binance protects its users with a responsible trading program
In a subsequent blog post, Sorokin acknowledged that "we have strong evidence that phishing was, at least in part, a contributing factor" to the user losses.
Meanwhile, a Twitter user has alleged that all 3Commas API keys have been leaked.
PSA
3Commas API leak has been published, if you haven't already, REMOVE YOUR API KEY pic.twitter.com/yEvrxyWBIq
- database (@tier10k) December 28, 2022
Now, Sorokin has confirmed the leak, adding that no proof was found that the leak was an inside job.
1. Declaration of 3Commas:
We saw the hacker's message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin, and other supported exchanges revoke all keys that were connected to 3Commas.
—Yuriy Sorokin (@YS_3Commas) December 28, 2022