3Commas Crypto Trading Bots confirm major leak of API keys belonging to its users
by Eric Martin 
3Commas crypto trading bots platform has confirmed the leak of many API keys belonging to its users.
As a reminder, an API key allows a trading bot to access an account on a crypto exchange such as Binance or Kucoin in order to be able to carry out automated trading transactions.
If you use 3Commas crypto trading robots, you must therefore deactivate the API key linked to this automatic trading platform as soon as possible.
For automated crypto trading, it is best to use Kryll crypto trading bots, renowned for its security: click here to learn more about their automated crypto trading platform.
“3Commas Statement:
We have seen the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas.”, says 3Commas.
3Commas Statement:
1) We have seen the hacker's message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas. pic.twitter.com/ZMuzCqeF1j
— 3Commas (@3commas_io) December 28, 2022
Issues had been reported several months earlier by clients of the platform who had funds stolen from Binance and FTX, 3Commas then said that these people had been victims of phishing attacks.
FTX had also reimbursed $6 million to users who had had their cryptocurrencies stolen through the use of their API key.
Recent information published on social networks ultimately reveals that it is therefore not a phishing scam but that almost 100,000 API keys from the 3Commas crypto trading bot platform were actually stolen internally or hacked, and are in the hands of malicious people.
1/ Six hours ago an account messaged me and sent over a db with api keys of 3Commas users. I began working to verify its validity and quickly shared the info with exchanges. pic.twitter.com/MBKatUyzBE
— ZachXBT (@zachxbt) December 28, 2022
It was after a tweet from the CEO of Binance, in which he invites 3Commas users to deactivate their API key, that the Bitcoin robot platform 3Commas finally confirmed this leak of API keys which would be coming from the hacking of its servers.
“I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately. Stay #SAFU.”, says CZ Binance.
I am reasonably sure there are wide spread API key leaks from 3Commas. If you have ever put an API key in 3Commas (from any exchange), please disable it immediately.
Stay #SAFU.
— CZ 🔶 Binance (@cz_binance) December 28, 2022
I strongly believe @tier10k is correct here, not 3comma's official response (BS). https://t.co/gV4DxVfxUZ
— CZ 🔶 Binance (@cz_binance) December 28, 2022
Some mention the hypothesis of a 3Commas employee who sold these databases containing the API keys of many users of the company specializing in automated crypto trading.
It remains to be seen now whether 3Commas users who have had their crypto funds stolen will be compensated by the platform which declared yesterday that there was still no leak of API keys…
There is no API leak on 3Commas. Here is a statement on this FUD. https://t.co/4Hzn5wksDK
We have encouraged victims to make a police report so that exchanges can be investigated for the KYC account making these trades to track funds and return them to the user.
— 3Commas (@3commas_io) December 28, 2022
This security flaw has the consequence of leading users of crypto trading bots, whether professional traders or individuals, to switch to competing services deemed safer such as Kryll, Cryptohopper or Haasbot.
After FTX, Terra (LUNA), 3AC, Celsius, or Voyager Digital, the 3Commas API leak reminds us that the year 2022 is not yet over and that it can still hold some surprises for us.
