- The FBI is now thought to be involved in the hunt for the 3Commas API thief
- 3Commas had denied for weeks that it was the source of a 100,000-strong API leak
- The company finally accepted culpability after the hackers posted a huge sample
The FBI is now thought to be involved in the hunt for the hacker who stole over 100,000 API keys from trading protocol 3Commas, after its CEO finally admitted the company was responsible. 3Commas had been denying that it had any part to play in the leak, which has been increasing in scale over the past couple of weeks, until it finally admitted it was the source of the breach on Wednesday, doing untold damage to the company’s reputation.
A Month of Pressure Finally Tells
Talk of a potential exploit began earlier in December when high profile crypto trader Coinmamba had a public spat with Binance over access to his trading account through his 3Commas API key. Binance said it wasn’t responsible, which shifted attention to 3Commas.
In more recent days, Crypto sleuth ZachXBT has been working on the case, reporting on Twitter that multiple 3commas users have reported “unauthorized trades on their CEX accounts” this month. 3Commas initially blamed these losses on phishing attacks, essentially putting the blame on the victims for falling for them, and denying all accusations that the leak came from itself. CEO Yuriy Sorokin even raged at the “incompetency” of the crypto media and blamed exchanges for not looking after API keys.
Hacker Publishes API Keys
The scene changed dramatically on Wednesday however when a hacker leaked a huge list of Binance and Kucoin API keys linked to 3Commas, and promised more:
1/ Six hours ago an account messaged me and sent over a db with api keys of 3Commas users. I began working to verify its validity and quickly shared the info with exchanges. pic.twitter.com/MBKatUyzBE
— ZachXBT (@zachxbt) December 28, 2022
In the messages, the hackers said that they could have stolen billions of dollars but that wasn’t their aim – they wanted to “teach everybody a low lesson, not a hard one to do not trust 3 Commas [sic]”. ZachXBT cross referenced the APIs those of known victims and confirmed the database of APIs was legitimate.
Later that evening, Sorokin had no choice but to finally admit that the issue was with 3Commas after all:
1. Statement from 3Commas:
We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.
— Yuriy Sorokin (@YS_3Commas) December 28, 2022
In the terse message, Sorokin said that 3Commas investigated an inside job but concluded that there hadn’t been one, and said that the company had since “implemented new security measures” and is “launching a full investigation involving law enforcement.” In a pathetic nod to the complete unwillingness to countenance that 3Commas was the root of the issue, Sorokin said that the company was “sorry that this has gotten so far” and added that it will “continue to be transparent in our communications around the situation”, which hilariously suggests that it has been thus far.
FBI Now Involved
The reactions to Sorokin’s comments were as caustic as one could imagine, with ZachXBT among those calling for a cessation of platform usage. Coindesk said yesterday that it has learned that the FBI is now involved in helping to identify the hacker, who has promised to publish API details for all major exchanges in the coming days.
If it wasn’t clear already, delete all your API keys for all exchanges and create new ones, but only for those platforms you regularly use.