API Leaked — 3Commas API Keys Leak Detailed Analysis
3Commas incident has been brewing for quite some time. Despite many concerns being raised initially, 3Commas kept their stance by denying the fact that there are any issues present.
This has only exacerbated the problem, leading to even more outcry. And here we are now, with ample amount of evidence and several key players publicly accusing 3Commas of the leak, presenting you with a detailed analysis of what has happened.
The HAPI team has preventatively warned users just before everything was brought to light https://twitter.com/donamarahp/status/1601280905510690816. We also have been patiently collecting information from various sources to have a valid and comprehensive incident report.
Who are 3Commas
Before delving deep into the facts, it’s reasonable to set up a stage.
3Commas to those unfamiliar is a trading service created back in 2017 and used to automate digital asset trading. 3Commas allows its clientele to connect to 18 major exchanges without as much as lifting a finger while also automating the whole trading process making it an ideal offering for a whole lot of traders.
For a long time 3Commas was considered one of the major trading brokers of Binance. Not only that but they have also been intimately tied to FTX, Alameda and Sam Bankman-Fried, sponsoring some of their Fundraising rounds, totalling around 40$ million across all of them.
The company itself has actually been operated since 2017 and founded by a Russian born trio from Saints Petersburg. Interestingly, as of recently none of them actually want or admit to having any relation, be it nationality or business wise, to the Russian Federation. Instead, claiming they and their business are Estonian through and through.
That, however, is just a synopsis.
Where it started
The first unsavory crumbs of information started to gather around the middle of October 2022.
Multiple users have encountered “API issues” and started sharing their experience via Social Media platforms like Telegram and Twitter. 3Commas treated these accusations… well as accusations and an attempt to blemish their reputation
On 28th of December 2022, Chang Peng Zhao commonly known as CZ posted a tweet warning users about the leak. Compromised API Keys were then publicly shared by hackers, corroborating the very fact of the API Keys being leaked.
On December 29th, the FBI opened a case against 3Commas, leaving them no chance but to make a move and they did.
Despite belligerent denial of any leaks taking place initially, CEO of 3Commas had no chance but to fold to these claims in this tweet https://twitter.com/YS_3Commas/status/1608202390121111552
This, however valiant of an attempt at seeking repentance it was, didn’t address or try to solve the issue at hand — the leak itself and those affected by it.
Talking about those affected. According to HAPI research, the number of affected people is AT LEAST in the hundreds. The actual number may easily go into thousands. The full breakdown will be in the next section.
The projected financial loss incurred may well exceed the 10$ million dollar mark as more and more people claim to lose their assets.
Binance users are the most affected group but there are also some outliers like KuCoin and even Coinbase Pro.
Where we are now and the devil is in the details
Audit
Let us begin with the security and how it is treated on 3Commas. Was it just an unfortunate circumstances of a fully audited and tightly secured platform or was there negligence at place that played a decisive role in eventually thousands of people losing their hard-earned assets.
Turns out the company with billions, 23 billions monthly to be exact, in trading volume and more than 5 years of operating business hasn’t had any (public) audit done https://3commas.io/security
Exchanges Involved and Their Initial Reaction
3Commas incident has not been the Binance issue only as we have briefly mentioned at the start. KuCoin, Coinbase, and one verified Bittrex case have also been uncovered to be related to 3Commas leak.
What’s interesting is the fact that neither of these exchanges have reported any leaks or even hinted at any problems taking place. This is despite the numerous complaints already being reported. They could have easily prevented it if they were to act swiftly and disable 3Commas API Keys before the situation had gotten worse.
What also is very interesting to note is the fact that stolen API Keys from Binance are 2–3 years old. This is strange because by default the keys are to be deactivated after 3 to 6 months.
On December 8th, HAPI Team contacted several exchanges including Binance to facilitate the investigation and help to clear the air on what is going on. The response we got was rather underwhelming, they didn’t want to associate themselves with any rumors and told us to contact local police forces.
And that’s what we did with some of the affected users, assisting them in contacting their local authorities and sharing with us their part of the story.
However, there are certain obstacles when it comes to contacting or filing a complaint with the law enforcement. By the means of trading on low liquidity BTC, ETH and USDT pairs, high liquidity pairs were traded for low liquidity altcoins with a high markup. This led to the emptying of user accounts in $. Also the fact that API keys were deliberately transferred from users to the third-party (3Commas) has significantly impaired the whole process of filing a complaint or enforcing any legal actions. Despite all of that…
On 29th of December, after several user reported incidents, joint work of HAPI Team and our cybersecuirty partners as well as FBI involvement, the 3Commas incident seems to enter its culmination stage. What comes next is a class action lawsuit and a whole lot of legal processes that will be heavily backed by all the evidence provided until now.
3Commas Internal Commotion and Potential Inside Leak
There have been reports from the start hinting at the possibility of the leak being an inside job puppetered by the ex-employees of 3Commas. Some of the facts that may contribute to this theory is some employees leaving right after the storm started to gather or with the first user complaints popping up or even right before the whole incident happened.
The HAPI Team had contacted one of the ex-members of 3Commas. On the condition of remaining anonymous, our contact shed some light on the uncertainty and chaos within the company lines. He describes the management as being “intractable” and the whole situation internally was “chaotic”. Direct quote here: “The management in the company was chaotic therefore I can’t exclude the possibility of 3Commas keys being sold by ex employees or even employees who had access to these keys.”
Not to mention the fact that one of our contacts, a former employee at 3Commas, also said that the founders informed them directly about the situation being hopeless. “This is the end of 3Commas” — said one of the founders.
The Current (10.01.2023) Breakdown of the Incident
The HAPI Team meticuliously investigated several individual incidents and tallied the number and geographical distribution of the victims.
The majority of losses both by volume and frequency were recorded on Binance.
