API-Key Leaks and Exchange Inaction: A HAPI Analysis of the 3Commas Incident

For several months, the community has been discussing an API-key leak from the 3Commas platform. The firm acknowledged data compromise only in December 2022, though the first complaints date from October. 

The HAPI team, a decentralised security protocol, shared with ForkLog a detailed analysis of the incident. The specialists assessed the damage to clients, explained how assets were stolen from users of centralised platforms, and described a class-action lawsuit being prepared in the United States against 3Commas.

🔥HAPI Labs is excited to unveil a new investigation into @3commas_io incident!

👉More than 27 million$ lost; numerous big exchanges involved including @binance and @coinbase.

✍️Full analysis and investigation into 3Commas here: https://t.co/jprPHOu51w

Small thread 🧵 pic.twitter.com/GJFf4WGajX

— HAPI LABS | Alerts (@hapi_labs) January 19, 2023

False rumors turned out to be true

In October 2022, 3Commas, together with the team of the cryptocurrency exchange FTX reported a compromise of a number of API keys, which were subsequently used to execute unauthorized trades with the DMM Governance (DMG) token.

Some clients of the algorithmic-trading platform reported that the keys were used without their consent to perform operations on Binance, KuCoin and Coinbase.

Representatives of 3Commas at that time called this information ‘false rumors’.

There have been some false rumors shared by bad faith actors using falsified evidence to claim 3Commas leaked users’ API keys. These rumors were related to fake screenshots of Cloudflare logs that have been shared on Twitter and Youtube.
The full article: https://t.co/KVOF2BWlYn pic.twitter.com/qJ52CvnVg0

— 3Commas (@3commas_io) December 11, 2022

The platform team confirmed the data leak only in December, when the relevant issues were warned by Binance chief Changpeng Zhao. 

It was reported that around 100,000 API keys fell into the attackers’ hands. They published 10,000 of them publicly and promised to publish the rest later. 

3Commas confirmed the validity of the leaked information.

3Commas Statement:

1) We have seen the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas. pic.twitter.com/ZMuzCqeF1j

— 3Commas (@3commas_io) December 28, 2022

According to HAPI, dozens of people were affected in the incident; analysts noted the actual number could reach thousands, and total losses could run into tens of millions of dollars.

What is 3Commas?

3Commas is a service for algorithmic trading of digital assets, launched in 2017. According to HAPI, the Estonia-registered company was founded by Russians — Yuri Sorokin, Mikhail Gorunov and Egor Razumovsky.

The platform’s trading bots operate with many crypto exchanges. Notably, 3Commas is a partner of Binance and FTX, which is currently in bankruptcy proceedings. 

The company also received funding from another FTG Group-linked structure — the notoriously named Alameda Research. 

Security problems

On the security page, 3Commas states that the platform ‘takes user security seriously’. 

Nevertheless, the first complaints about API-key compromise in October 2022 were either ignored by the project team or dismissed as rumors. In November, dozens of people were reporting issues, and the situation had ‘gotten out of control’.

The leadership said that, within an internal investigation, they found no evidence of employee involvement in the data breach.

HAPI asserts that shortly before the incident, as well as during the appearance of the first complaints, some developers left the company. Analysts managed to reach some of them — anonymously — and they confirmed that user keys could have been leaked by an insider.

«3Commas has completely closed code, closed software, closed development. There is not a single audit. In five years of operating as an official Binance broker, an official FTX partner — not a single public audit. […] All we learn is from departing developers and from the victims. […] And this is against the backdrop of claims of enormous trading volumes through the software they provide — $23bn per month, to be precise», said to ForkLog a HAPI representative.

Additionally, one former platform team member said that in the days of the first complaints, the company’s co-founders were reportedly telling staff that the situation was critical and spoke of the ‘end of 3Commas’.

However, over time the rhetoric changed. The service denied all accusations for months, hinting at user negligence.

How did the attackers steal users’ funds?

According to analysts, the attackers, using external accounts on centralised platforms, placed sell orders for illiquid assets at high prices. 

Then, through the victims’ accounts to which they gained API access, criminals swapped these assets on the order book for highly liquid ones. 

Experts noted that this involved not only contratrading, but also wash trading. For example, they cite a scenario where before the attack the victim’s liquid assets were valued at 50 BTC, and after the scheme Pump and Dump had run, — at 7 BTC. Meanwhile, 43 BTC ended up on the other side.

HAPI stressed that, having access to users’ API keys, the attackers bypassed 2FA and other security measures on exchanges. Analysts also noted that it is unclear whether 3Commas encrypted client data — due to the service’s closed architecture making verification impossible. 

The incident in numbers

According to HAPI:

• as of 10 January 2023, the number of affected users stood at 86 people from 32 countries;
• the verified loss to 3Commas clients is valued at $27,285,845. The smallest loss is around $500, the largest — $5.9 million;
• the majority of victims are US citizens (21), the UK (11), as well as residents of Ukraine, Canada and Thailand (4 each). 19 cases involve EU residents;
• among the victims, most users were Binance (47), KuCoin (28), Coinbase Pro (10) and Bittrex (1).

Analysts noted that six users lost more than a million dollars each. In total, they account for about 67% of the total losses, or $18.3 million.

The most money was lost by Binance users — collectively around $23.5 million. KuCoin and Coinbase Pro accounted for $2.1 million and $1.5 million respectively.

By country, the largest losses were borne by residents of Thailand — over $6.4 million. In second place were UK citizens ($5.5 million), and third were EU residents ($4.8 million).

In October 2022 there were only four cases of funds theft, with total user losses of $470,000. In November, the number of confirmed victims rose to 24. Their losses were estimated at $14.9 million.

«Похоже, всех китов вычистили в ноябре», — отметили в НАPI.

The vast majority of compromised API keys were generated in 2022 (about 78% of the total). Four cases, however, involved keys created in 2020, and two in 2019.

Role of the exchanges

The 3Commas service supports more than two dozen exchanges, yet only Binance, KuCoin and Coinbase Pro users were affected; there is also one confirmed case with a Bittrex client.

«Perhaps the problem isn’t just about 3Commas? Indirectly we can tie this to how exchanges manage_user API keys. Most exchanges deactivate trading keys after 3–6 months by default. In Binance’s case, the leak affected keys generated more than three years ago», — noted HAPI.

According to analysts, Binance knew about the incident by November 2022. In early December, HAPI officials contacted the exchange requesting cooperation with the investigation, but a platform representative declined to join the initiative and advised turning to law enforcement. 

The company stressed that the affected exchanges could have mitigated losses to users. Specifically, they could revoke API keys, freeze involved accounts until circumstances were clarified, and consult cybersecurity specialists. 

Instead, Binance, and later KuCoin and Coinbase, did not inform clients for a long time about deactivating keys, despite numerous complaints and suspicions about the data leak.

At present, all exchanges have disabled API keys from 3Commas, the HAPI team explained.

What next? 

HAPI confirmed that on 29 December 2022 the FBI joined the investigation. 3Commas came under the agency’s scrutiny because US citizens are overrepresented among the affected users, and some of the company’s servers are located in the United States.

The role was also played by the sizable losses and the fact that affected users intend to file a class-action against 3Commas.

«Will the FBI have a strong influence? I’m not sure. Especially if 3Commas offers people partial compensation or something more. But a group of Americans preparing a class-action has invited affected users from Ukraine, the Baltics, the EU, and the UK to join. Of course, the class-action in the USA is designed to protect US citizens, but victims from other jurisdictions add weight. Will it help victims from other jurisdictions? I think it will», — said a representative of HAPI.

Representatives of 3Commas and Binance were unable to provide timely comments regarding the data leak. ForkLog will update the piece when it receives responses from the mentioned companies.

Read ForkLog’s Bitcoin news in our Telegram — crypto news, prices and analysis.