Keys to thousands of Binance and KuCoin accounts stolen because of the 3Commas leak: check if you are affected too

A database of API keys of 3Commas cryptocurrency service users was published online. The authenticity of the data and the fact of the leak were confirmed by the firm’s CEO Yuriy Sorokin. At the same time, the statement on the website says that other API data — secrets and passphrases — were also leaked. 

What happened to 3Commas?

An anonymous Twitter user stated that he received about 100,000 API keys. He published more than 10,000 on December 28. The exploiter also promised to continue to release personal data randomly in the coming days. A crypto influencer, Zach XBT, shared screenshots of his conversation with the anonymous.

1/ Six hours ago an account messaged me and sent over a db with api keys of 3Commas users. I began working to verify its validity and quickly shared the info with exchanges. pic.twitter.com/MBKatUyzBE

— ZachXBT (@zachxbt) December 28, 2022

The API keys that were leaked were mostly generated on Binance and KuCoin.

Sorokin added that he had asked Binance, KuCoin, and other supported exchanges to revoke all keys associated with 3Commas. The company launched an investigation involving law enforcement and assured that it has implemented new security measures to protect users.

What is 3Commas?

The company was founded in Estonia by Yuriy Sorokin, Egor Razumovskii, and Mikhail Goryunov in 2017. 3Commas has over 100,000 monthly active users and more than 270 employees worldwide. Trading volume in 2021 was $225 billion, with $37 million raised in Series B funding.

3Commas is a cryptocurrency trading management platform that offers various customizable trading bots and full portfolio management from a single user-friendly interface. These bots automatically make trades on behalf of the user on third-party crypto exchanges. Bots have many different settings and allow you to trade 24 hours a day, 7 days a week, without user involvement. 

The exchanges generate API keys, and users connect these keys to 3Commas to give the app access to their accounts. 3Commas trading tools are supported on 16 major cryptocurrency exchanges: Binance, Bittrex, Bitstamp, Bitfinex, Bitmex, Coinbase, OKX, KuCoin, Huobi, Bybit, Deribit, Kraken, Ripple, Ethereum, Crypto.com, Dogecoin.

What are API keys, and what are they for?

API (Application Programming Interface), is a set of rules describing how two applications communicate with each other. In cryptocurrency trading, the API provides real-time access to market data, trading, and user account management. 

An API key is a code used to identify and authenticate an application or user. API keys are available through platforms and serve as unique identifiers.

The API key is passed to the application, which then calls the API to identify the user, developer, or program attempting to access the website or service.

In our case, API keys serve both to authenticate the user (confirm identity) and to authorize the user (verify permission to execute the request).

How this will affect users?

The exploiter gained full control over users’ digital assets on exchanges via 3Commas service. Anonymous stated that he has access to billions of dollars, but he does not want to cause damage, only to teach a lesson so that people do not trust 3Commas. Sounds like the speech of a disgruntled former employee. There have been numerous rumors about the theft of API keys by employees, which the company has denied.

3Commas also has previously repeatedly assured that there were no leaks and complaints from users that transactions with their cryptocurrency are taking place but without their knowledge, the results of phishing attacks. Although back in November it was known that 48 confirmed 3Commas customers from the active user base were affected.

Despite 3Commas being an official partner of Binance, the head of the largest crypto exchange Changpeng Zhao (better known as CZ) tweeted that the data leak was from this company.

I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.

Stay #SAFU.

— CZ 🔶 Binance (@cz_binance) December 28, 2022

Only now has the platform acknowledged the exploit. 3Commas stated that “no evidence of an inside job was found” and “only a small number of technical employees had access to the infrastructure,” but they have had access removed since November 19.

Now there were a lot of angry questions in the air:

• If an employee had access to API keys, why wasn’t that information encrypted?
• Why weren’t all the API keys locked down back in November or earlier when the problem became known?
• How will the affected users get their money back?

Moreover, in the comments to Yuriy Sorokin’s tweet, he was accused of gaslightingA form of psychological abuse. One person, by manipulating another, intimidates them, and makes them doubt their own abilities, the adequacy of their judgment, and even memories., as he assured that all the problems are on the side of users or exchanges, and said that his company has lost the most important thing — reputation.

You kept lying and saying this was our fault instead of taking responsibility and prevented further exploits. Are you going to refund the users now?

— CoinMamba (@coinmamba) December 28, 2022

How to protect yourself?

• Delete or refresh API keys for every exchange, and use Fast Connect where available, like that offered by Binance;
• If you have ever entered an API key into 3Commas from any exchange, revoke it immediately;
• Enable 2FA for every exchange and service you use;
• Change all your passwords;
• Beware of phishing sites (despite the 3Commas leak, they still exist):