{"id":72805,"date":"2023-01-19T17:24:07","date_gmt":"2023-01-19T15:24:07","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=72805"},"modified":"2025-09-09T10:27:12","modified_gmt":"2025-09-09T07:27:12","slug":"api-key-leaks-and-exchange-inaction-a-hapi-analysis-of-the-3commas-incident","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/api-key-leaks-and-exchange-inaction-a-hapi-analysis-of-the-3commas-incident\/","title":{"rendered":"API-Key Leaks and Exchange Inaction: A HAPI Analysis of the 3Commas Incident"},"content":{"rendered":"<p>For several months, the community has been discussing an API-key leak from the 3Commas platform. The firm acknowledged data compromise only in December 2022, though the first complaints date from October.\u00a0<\/p>\n<p>The HAPI team, a decentralised security protocol, shared with ForkLog a detailed analysis of the incident. The specialists assessed the damage to clients, explained how assets were stolen from users of centralised platforms, and described a class-action lawsuit being prepared in the United States against 3Commas.<\/p>\n<blockquote class='twitter-tweet'>\n<p lang='en' dir='ltr'>\ud83d\udd25HAPI Labs is excited to unveil a new investigation into <a href='https:\/\/twitter.com\/3commas_io?ref_src=twsrc%5Etfw'>@3commas_io<\/a> incident!<\/p>\n<p>\ud83d\udc49More than 27 million$ lost; numerous big exchanges involved including <a href='https:\/\/twitter.com\/binance?ref_src=twsrc%5Etfw'>@binance<\/a> and <a href='https:\/\/twitter.com\/coinbase?ref_src=twsrc%5Etfw'>@coinbase<\/a>. <\/p>\n<p>\u270d\ufe0fFull analysis and investigation into 3Commas here: <a href='https:\/\/t.co\/jprPHOu51w'>https:\/\/t.co\/jprPHOu51w<\/a><\/p>\n<p>Small thread \ud83e\uddf5 <a href='https:\/\/t.co\/GJFf4WGajX'>pic.twitter.com\/GJFf4WGajX<\/a><\/p>\n<p>\u2014 HAPI LABS | Alerts (@hapi_labs) <a href='https:\/\/twitter.com\/hapi_labs\/status\/1616078460405035009?ref_src=twsrc%5Etfw'>January 19, 2023<\/a><\/p><\/blockquote>\n<p> <script async='' src='https:\/\/platform.twitter.com\/widgets.js' charset='utf-8'><\/script><\/p>\n<h2 class='wp-block-heading'>False rumors turned out to be true<\/h2>\n<p>In October 2022, 3Commas, together with the team of the cryptocurrency exchange FTX <a href=\"https:\/\/forklog.com\/en\/news\/3commas-and-ftx-report-compromise-of-several-users-api-keys\">reported<\/a> a compromise of a number of API keys, which were subsequently used to execute unauthorized trades with the DMM Governance (DMG) token.<\/p>\n<p>Some clients of the algorithmic-trading platform reported that the keys were used without their consent to perform operations on Binance, KuCoin and Coinbase.<\/p>\n<p>Representatives of 3Commas at that time <a href=\"https:\/\/forklog.com\/en\/news\/3commas-denies-leak-of-users-api-keys\">called<\/a> this information &#8216;false rumors&#8217;.<\/p>\n<blockquote class='twitter-tweet'>\n<p lang='en' dir='ltr'>There have been some false rumors shared by bad faith actors using falsified evidence to claim 3Commas leaked users\u2019 API keys. These rumors were related to fake screenshots of Cloudflare logs that have been shared on Twitter and Youtube.<br \/>The full article: <a href='https:\/\/t.co\/KVOF2BWlYn'>https:\/\/t.co\/KVOF2BWlYn<\/a> <a href='https:\/\/t.co\/qJ52CvnVg0'>pic.twitter.com\/qJ52CvnVg0<\/a><\/p>\n<p>\u2014 3Commas (@3commas_io) <a href='https:\/\/twitter.com\/3commas_io\/status\/1602024943708999682?ref_src=twsrc%5Etfw'>December 11, 2022<\/a><\/p><\/blockquote>\n<p> <script async='' src='https:\/\/platform.twitter.com\/widgets.js' charset='utf-8'><\/script><\/p>\n<p>The platform team confirmed the data leak only in December, when the relevant issues <a href=\"https:\/\/forklog.com\/en\/news\/changpeng-zhao-warns-of-api-key-leaks-on-3commas-platform\">were warned<\/a> by Binance chief Changpeng Zhao.\u00a0<\/p>\n<p>It was reported that around 100,000 API keys fell into the attackers&#8217; hands. They published 10,000 of them publicly and promised to publish the rest later.\u00a0<\/p>\n<p>3Commas confirmed the validity of the leaked information.<\/p>\n<blockquote class='twitter-tweet'>\n<p lang='en' dir='ltr'>3Commas Statement:<\/p>\n<p>1) We have seen the hacker\u2019s message and can confirm that the data in the files is true. As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas. <a href='https:\/\/t.co\/ZMuzCqeF1j'>pic.twitter.com\/ZMuzCqeF1j<\/a><\/p>\n<p>\u2014 3Commas (@3commas_io) <a href='https:\/\/twitter.com\/3commas_io\/status\/1608226169400315904?ref_src=twsrc%5Etfw'>December 28, 2022<\/a><\/p><\/blockquote>\n<p> <script async='' src='https:\/\/platform.twitter.com\/widgets.js' charset='utf-8'><\/script><\/p>\n<p>According to HAPI, dozens of people were affected in the incident; analysts noted the actual number could reach thousands, and total losses could run into tens of millions of dollars.<\/p>\n<h2 class='wp-block-heading'>What is 3Commas?<\/h2>\n<p>3Commas is a service for algorithmic trading of digital assets, launched in 2017. According to HAPI, the Estonia-registered company was founded by Russians \u2014 Yuri Sorokin, Mikhail Gorunov and Egor Razumovsky.<\/p>\n<p>The platform\u2019s trading bots operate with many crypto exchanges. Notably, 3Commas is a partner of Binance and FTX, which is currently <a href=\"https:\/\/forklog.com\/en\/news\/how-the-collapse-of-ftx-and-alameda-research-will-affect-the-crypto-industry\">in<\/a> bankruptcy proceedings.\u00a0<\/p>\n<p>The company also <a href='https:\/\/www.businesswire.com\/news\/home\/20220922005579\/en\/Largest-Crypto-Trading-Bot-and-Investment-Platform-3Commas-Raises-37M-in-Series-B-Funding-Round'>received<\/a> funding from another FTG Group-linked structure \u2014 the notoriously named Alameda Research.\u00a0<\/p>\n<h2 class='wp-block-heading'>Security problems<\/h2>\n<p>On the <a href='https:\/\/3commas.io\/security'>security page<\/a>, 3Commas states that the platform &#8216;takes user security seriously&#8217;.\u00a0<\/p>\n<p>Nevertheless, the first complaints about API-key compromise in October 2022 were either ignored by the project team or dismissed as rumors. In November, dozens of people were reporting issues, and the situation had &#8216;gotten out of control&#8217;.<\/p>\n<p>The leadership said that, within an internal investigation, they found no evidence of employee involvement in the data breach.<\/p>\n<p>HAPI asserts that shortly before the incident, as well as during the appearance of the first complaints, some developers left the company. Analysts managed to reach some of them \u2014 anonymously \u2014 and they confirmed that user keys could have been leaked by an insider.<\/p>\n<blockquote class='wp-block-quote is-layout-flow wp-block-quote-is-layout-flow'>\n<p>\u00ab3Commas has completely closed code, closed software, closed development. There is not a single audit. In five years of operating as an official Binance broker, an official FTX partner \u2014 not a single public audit. [\u2026] All we learn is from departing developers and from the victims. [\u2026] And this is against the backdrop of claims of enormous trading volumes through the software they provide \u2014 $23bn per month, to be precise\u00bb, said to ForkLog a HAPI representative.<\/p>\n<\/blockquote>\n<p>Additionally, one former platform team member said that in the days of the first complaints, the company\u2019s co-founders were reportedly telling staff that the situation was critical and spoke of the &#8216;end of 3Commas&#8217;.<\/p>\n<p>However, over time the rhetoric changed. The service denied all accusations for months, hinting at user negligence.<\/p>\n<h2 class='wp-block-heading'>How did the attackers steal users\u2019 funds?<\/h2>\n<p>According to analysts, the attackers, using external accounts on centralised platforms, placed sell orders for illiquid assets at high prices.\u00a0<\/p>\n<p>Then, through the victims\u2019 accounts to which they gained API access, criminals swapped these assets on the order book for highly liquid ones.\u00a0<\/p>\n<p>Experts noted that this involved not only contratrading, but also wash trading. For example, they cite a scenario where before the attack the victim\u2019s liquid assets were valued at 50 BTC, and after the scheme Pump and Dump had run, \u2014 at 7 BTC. Meanwhile, 43 BTC ended up on the other side.<\/p>\n<p>HAPI stressed that, having access to users\u2019 API keys, the attackers bypassed 2FA and other security measures on exchanges. Analysts also noted that it is unclear whether 3Commas encrypted client data \u2014 due to the service\u2019s closed architecture making verification impossible.\u00a0<\/p>\n<h2 class='wp-block-heading'>The incident in numbers<\/h2>\n<p>According to HAPI:<\/p>\n<ul class='wp-block-list'>\n<li>as of 10 January 2023, the number of affected users stood at 86 people from 32 countries;<\/li>\n<li>the verified loss to 3Commas clients is valued at $27,285,845. The smallest loss is around $500, the largest \u2014 $5.9 million;<\/li>\n<li>the majority of victims are US citizens (21), the UK (11), as well as residents of Ukraine, Canada and Thailand (4 each). 19 cases involve EU residents;<\/li>\n<li>among the victims, most users were Binance (47), KuCoin (28), Coinbase Pro (10) and Bittrex (1).<\/li>\n<\/ul>\n<p>Analysts noted that six users lost more than a million dollars each. In total, they account for about 67% of the total losses, or $18.3 million.<\/p>\n<figure class='wp-block-image size-large'><img loading='lazy' decoding='async' width='1024' height='559' src='https:\/\/forklog.com\/wp-content\/uploads\/Tg_image_2979625144-1024x559.jpeg' alt='largest 3Commas victims' class='wp-image-195745' srcset='https:\/\/forklog.com\/wp-content\/uploads\/Tg_image_2979625144-1024x559.jpeg 1024w, https:\/\/forklog.com\/wp-content\/uploads\/Tg_image_2979625144-300x164.jpeg 300w, https:\/\/forklog.com\/wp-content\/uploads\/Tg_image_2979625144-768x419.jpeg 768w, https:\/\/forklog.com\/wp-content\/uploads\/Tg_image_2979625144-1536x838.jpeg 1536w, https:\/\/forklog.com\/wp-content\/uploads\/Tg_image_2979625144.jpeg 1980w' sizes='auto, (max-width: 1024px) 100vw, 1024px'><figcaption>Data: HAPI.<\/figcaption><\/figure>\n<p>The most money was lost by Binance users \u2014 collectively around $23.5 million. KuCoin and Coinbase Pro accounted for $2.1 million and $1.5 million respectively.<\/p>\n<figure class='wp-block-image size-large'><img loading='lazy' decoding='async' width='1024' height='558' src='https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-2-1024x558.jpg' alt='3Commas victims by exchange. Data: HAPI' class='wp-image-195746' srcset='https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-2-1024x558.jpg 1024w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-2-300x164.jpg 300w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-2-768x419.jpg 768w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-2.jpg 1280w' sizes='auto, (max-width: 1024px) 100vw, 1024px'><figcaption>Data: HAPI.<\/figcaption><\/figure>\n<p>By country, the largest losses were borne by residents of Thailand \u2014 over $6.4 million. In second place were UK citizens ($5.5 million), and third were EU residents ($4.8 million).<\/p>\n<figure class='wp-block-image size-large'><img loading='lazy' decoding='async' width='1024' height='717' src='https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-39-1024x717.jpg' alt='Geography of 3Commas victims' class='wp-image-195747' srcset='https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-39-1024x717.jpg 1024w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-39-300x210.jpg 300w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-39-768x538.jpg 768w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-39.jpg 1280w' sizes='auto, (max-width: 1024px) 100vw, 1024px'><figcaption>Data: HAPI.<\/figcaption><\/figure>\n<p>In October 2022 there were only four cases of funds theft, with total user losses of $470,000. In November, the number of confirmed victims rose to 24. Their losses were estimated at $14.9 million.<\/p>\n<figure class='wp-block-image size-large'><img loading='lazy' decoding='async' width='1024' height='558' src='https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-1024x558.jpg' alt='3Commas key theft' class='wp-image-195748' srcset='https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-1024x558.jpg 1024w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-300x164.jpg 300w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41-768x419.jpg 768w, https:\/\/forklog.com\/wp-content\/uploads\/Photo_2023-01-12_02-47-41.jpg 1280w' sizes='auto, (max-width: 1024px) 100vw, 1024px'><figcaption>Data: HAPI.<\/figcaption><\/figure>\n<blockquote class='wp-block-quote is-layout-flow wp-block-quote-is-layout-flow'>\n<p>\u00ab\u041f\u043e\u0445\u043e\u0436\u0435, \u0432\u0441\u0435\u0445 \u043a\u0438\u0442\u043e\u0432 \u0432\u044b\u0447\u0438\u0441\u0442\u0438\u043b\u0438 \u0432 \u043d\u043e\u044f\u0431\u0440\u0435\u00bb, \u2014 \u043e\u0442\u043c\u0435\u0442\u0438\u043b\u0438 \u0432 \u041d\u0410PI.<\/p>\n<\/blockquote>\n<p>The vast majority of compromised API keys were generated in 2022 (about 78% of the total). Four cases, however, involved keys created in 2020, and two in 2019.<\/p>\n<h2 class='wp-block-heading'>Role of the exchanges<\/h2>\n<p>The 3Commas service supports more than two dozen exchanges, yet only Binance, KuCoin and Coinbase Pro users were affected; there is also one confirmed case with a Bittrex client.<\/p>\n<blockquote class='wp-block-quote is-layout-flow wp-block-quote-is-layout-flow'>\n<p>\u00abPerhaps the problem isn\u2019t just about 3Commas? Indirectly we can tie this to how exchanges manage_user API keys. Most exchanges deactivate trading keys after 3\u20136 months by default. In Binance\u2019s case, the leak affected keys generated more than three years ago\u00bb, \u2014 noted HAPI.<\/p>\n<\/blockquote>\n<p>According to analysts, Binance knew about the incident by November 2022. In early December, HAPI officials contacted the exchange requesting cooperation with the investigation, but a platform representative declined to join the initiative and advised turning to law enforcement.\u00a0<\/p>\n<p>The company stressed that the affected exchanges could have mitigated losses to users. Specifically, they could revoke API keys, freeze involved accounts until circumstances were clarified, and consult cybersecurity specialists.\u00a0<\/p>\n<p>Instead, Binance, and later KuCoin and Coinbase, did not inform clients for a long time about deactivating keys, despite numerous complaints and suspicions about the data leak.<\/p>\n<p>At present, all exchanges have disabled API keys from 3Commas, the HAPI team explained.<\/p>\n<h2 class='wp-block-heading'>What next?\u00a0<\/h2>\n<p>HAPI confirmed that on 29 December 2022 the <span data-descr='Federal Bureau of Investigation (FBI)' class='old_tooltip'>FBI<\/span> joined the investigation. 3Commas came under the agency\u2019s scrutiny because US citizens are overrepresented among the affected users, and some of the company\u2019s servers are located in the United States.<\/p>\n<p>The role was also played by the sizable losses and the fact that affected users intend to file a class-action against 3Commas.<\/p>\n<blockquote class='wp-block-quote is-layout-flow wp-block-quote-is-layout-flow'>\n<p>\u00abWill the FBI have a strong influence? I\u2019m not sure. Especially if 3Commas offers people partial compensation or something more. But a group of Americans preparing a class-action has invited affected users from Ukraine, the Baltics, the EU, and the UK to join. Of course, the class-action in the USA is designed to protect US citizens, but victims from other jurisdictions add weight. Will it help victims from other jurisdictions? I think it will\u00bb, \u2014 said a representative of HAPI.<\/p>\n<\/blockquote>\n<p>Representatives of 3Commas and Binance were unable to provide timely comments regarding the data leak. ForkLog will update the piece when it receives responses from the mentioned companies.<\/p>\n<p>Read ForkLog\u2019s Bitcoin news in our <a href='\/\/telegram.me\/forklog' target='\u201c_blank\u201d' rel='\u201cnofollow\u201d noopener'>Telegram<\/a> \u2014 crypto news, prices and analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The HAPI team shared with ForkLog a detailed analysis of the 3Commas incident. The specialists assessed the damage to clients, explained how assets were stolen from users of centralised platforms, and described the class-action lawsuit being prepared in the United States against 3Commas.<\/p>\n","protected":false},"author":1,"featured_media":72806,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[1144],"tags":[2313,1188],"class_list":["post-72805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-longreads","tag-3commas-io","tag-data-breach"],"aioseo_notices":[],"amp_enabled":true,"views":"50","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/72805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=72805"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/72805\/revisions"}],"predecessor-version":[{"id":72807,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/72805\/revisions\/72807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/72806"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=72805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=72805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=72805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}