Phishing Attack? 3Commas API Leak Leads An FTX User Lost $1.26M

Dave Yeh
4 min readDec 1, 2022

--

Early on October 19th, 2022, an FTX trader who uses API to connect with 3Commas (3Commas is a crypto trading platform that provides API service for users to connect and operate trading bots on their own exchanges) claimed his account abnormally generated a large number of transactions on DMG tokens and therefore causing huge loss of his assets.

“It was not an isolated case but already 3 victims so far,” a tweet from Wu Blockchain disclosed the case.

FTX trader claimed: already Lost $1.6M due to 3Commas API Leak

According to the following information, it was stated that this FTX trader was stolen around $1.6 million including BTC, ETH, FTT, etc. from his account, and more than 5,000 times trading on DMG tokens. A 70% surge of DMG tokens occurred on October 19th, 2022 as well.

DMG had a 70& surge on Oct. 19th, 2022

The trader believed that the API key of 3Commas was leaked and he immediately contacted FTX customer support for assistance. However, FTX insisted on the trader should submit a police case filing notice at first, but FTX kept taking no further investigation into the case and did not take any security steps to freeze any funds or suspended any suspicious accounts involved in the case.

3Commas: There is no API leak

3Commas commented on the incident shortly after the disclosure and stated that no leaks occurred and the system is secured as usual.

“This matter is being looked at as a top priority right now at 3Commas. We have the highest security with 2FA and OTP on login etc to ensure that user accounts are always secure. We are in touch with the user to ensure they get all the support needed,” 3Commas stated.

After the brief reply on the incident, 3Commas posted an announcement and pointed out that the incident was caused by a phishing attack on inauthentic external websites that mocked up to resemble 3Commas interface. There is no API leak of 3Commas.

“There have been no breaches of either 3Commas’ account security and API encryption systems, nor the account security and API encryption systems of our partner exchanges,” 3Commas said.

SBF: It was a Phishing Attack

SBF, the ex-CEO of FTX exchange, also viewed the incident as a phishing attack, sharing his opinions after the 3Commas announcement. SBF also mentioned that the affected traders will be compensated but only for this case.

“THIS IS A ONE-TIME THING AND WE WILL NOT DO THIS GOING FORWARD. THIS IS NOT A PRECEDENT. We will not making a habit of compensating for uses getting phished by fake versions of other companies!” SBF said.

Another $150k loss on API leak of 3Commas

On Thanksgiving morning, a Reddit post by a trader stated that he suffered a $150k loss due to 3Commas API key leak of his Coinbase Pro account.

“I woke up on Thanksgiving morning to a loss of over $150k due to 1,300 unauthorized transactions in my Coinbase Pro account. The trades were placed using the API key that I set up on 3Commas recently,” the trader said.

After the post, there are plenty of victims who left comments on the post and stated that there is an inconsistent amount of loss due to using API to connect their personal account to 3Commas.

Although 3Commas had an update on API keys and users from 3Commas can set a whitelist to their trading pairs to avoid API leak incidents, the public opinion seemed not easy to calm down.

Pionex: API is not a sustainable business

“API trading bot is no longer a sustainable business for all of us. A business will not be held liable for damages even if it’s possible that the business is running a leaked secret API keys.” Pionex said.

API is widely used in the crypto industry and famous exchanges such as FTX, Binance, Huobi, etc. all provide the service of API. Since its complexity and sustainability shall pay lots of attention to such security checks, attackers only need one weakness or bug to easily access the system and therefore operate your account.

API is a useful tool to let you easily connect your personal account with other useful tools. However, it is not recommended to provide API service for business purposes. Since it’s a direct gateway for attackers to access users’ data with various violation methods, it is suggested that users should not use API on their investments but choose a platform that provides in-built trading tools.

Why not choose trading bots without API keys?

Pionex is a pioneering exchange with leading crypto trading bots. It provides 16 Free built-in trading bots for investors to choose from and allows users to share their strategies with others. You don’t have to use API or pay any utility fee on using the trading bots, making it a more secure and convenient way to invest for yourself.

Pionex also provides multiple ways to buy crypto and users could manage their funds well all on Pionex platform. If you are the investors who like trading bots a lot but is afraid of the API leak issue, Pionex is the best solution for you.

--

--