Despite the bear market, cryptocurrency day traders still see opportunities to strike it rich. Many seek out an edge by employing algorithmic trading bots that automatically execute trades at a moment’s notice.
There are risks in letting code make snap decisions, however. A group of investors organizing on Telegram say that they have been the victims of hackers that compromised the Application Programming Interface (API) of the automated trading platform 3Commas to the tune of $22 million.
In a series of tweets, pseudonymous Internet Sleuth @ZachXBT claims dozens of users have reported that thieves siphoned funds away through unauthorized trades on their centralized exchange accounts because of the 3Commas API.
“3Commas blames it on ‘phishing’ but I now have verified a group of 44 victims who’ve had $14.8m in total stolen,” ZachXBT tweeted.
1/3 Over the past couple of weeks a number of @3commas_io users have reported unauthorized trades on their CEX accounts.
3Commas blames it on “phishing” but I now have verified a group of 44 victims who’ve had $14.8m in total stolen. pic.twitter.com/49K28a5Pf8
— ZachXBT (@zachxbt) December 20, 2022
In a Google doc shared in the Telegram group and viewed by Decrypt, members say the exchanges where the authorized transactions occurred include Binance, Coinbase Pro, and KuCoin.
“Users have made complaints across different exchanges,” ZachXBT wrote. “It’s clear this is not phishing and API keys were stolen.”
2/3 Users have made complaints across different exchanges. It’s clear this is not phishing and api keys were stolen.
3Commas and their founder have chosen to blame its users. Delete the api keys if you haven’t already and stop using 3commas.
— ZachXBT (@zachxbt) December 20, 2022
What is an API?
An API is a set of rules that define how two software programs—in this case, a trader’s portfolio or wallet and a cryptocurrency exchange—should communicate. APIs are used for various reasons, providing a way for developers to access multiple services and data, and enabling users to interact with different applications through a single user interface.
What is algorithmic trading?
Algorithmic trading uses computer programs, including APIs, to execute trades in financial markets. These programs, also known as trading bots, are designed to analyze market conditions and execute trades triggered by predefined parameters.
One advantage of algorithmic trading is that it allows traders to execute trades quickly without human interaction. Trading bots can be especially useful in fast-moving global markets like cryptocurrency, where manual trading may not be possible.
While algorithmic trading bots can help traders looking for an edge, their use also carries risks, such as potential errors or malfunctions in the algorithm or compromised access to their settings.
An earlier 3Commas scam
In October 2022, then-FTX CEO Sam Bankman-Fried paid out $6 million to FTX traders who were victims of a multimillion-dollar scam that hit FTX users through compromised 3Commas APIs.
Bankman-Fried tweeted that he was prepared to remunerate FTX users affected by an exploit in which attackers used 3Commas’ API to make trades on the exchange, but warned that the action should not be considered a precedent or company policy.
13) But in this particular case, we will compensate the affected users.
THIS IS A ONE-TIME THING AND WE WILL NOT DO THIS GOING FORWARD.
THIS IS NOT A PRECEDENT.
We will not making a habit of compensating for uses getting phished by fake versions of other companies!
— SBF (@SBF_FTX) October 23, 2022
3Commas says the theft of user funds was due to a phishing attack, not their software, and called the claims of API leaks or exploits—then and now—fake and spread by bad actors.
There have been some false rumors shared by bad faith actors using falsified evidence to claim 3Commas leaked users’ API keys. These rumors were related to fake screenshots of Cloudflare logs that have been shared on Twitter and Youtube.
The full article: https://t.co/KVOF2BWlYn pic.twitter.com/qJ52CvnVg0
— 3Commas (@3commas_io) December 11, 2022
In a series of blog posts posted to the 3Commas website, co-founder Yuriy Sorokin has repeatedly addressed the claims against the platform.
“In the latest edition to this saga of API keys and attacks on exchanges, we’re now seeing individuals on Twitter and YouTube circulating fake screenshots of Cloudflare logs in an attempt to convince people that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files,” Sorokin wrote, pointing to a December 10, 2022 tweet that he says claims 3Commas employees are stealing API keys.
The investigation continues
In an email response to Decrypt, 3Commas asserted that “there are no API leaks or exposure of our database,” and said that it is working with Google to take down phishing websites trying to copy its platform, which could trick customers into submitting their API keys.
3Commas also wrote that they are working with Binance in “investigating the root cause” and said its own team is “finding a permanent solution to fix the API issue.” The company did not respond to a request from Decrypt to explain the API issue that required fixing.
Excluding actions by insiders, how would an attacker know who to attack—via phishing or otherwise—and when?
“Normally, my answer would be ‘it depends,’” David Schwed, COO of Web3 security firm Halborn, told Decrypt.
“If an attacker was able to inspect network traffic, they’d be able to obtain some information as to who was making API calls based on either the URL or the originating IP address,” Schwed said. “However, in this case, the users of the API were much simpler to ascertain.”
“In the developer section of 3commas.io, they have an API chat link to a [Telegram] group with close to 1,000 members,” he explained. “Those members, I’d assume, are all API users.”
Edmondo “Mundy” Pena, a cybersecurity professional and algorithmic trader, tells Decrypt he had used 3Commas’ trading software since 2020 when he first heard about the platform. Around that same time, Pena says he launched his business, Crypto Trading Desk.
Pena says he has used 3Commas’ API on multiple portfolios for just under two years without issue. Pena says he first noticed problems with his trading account during the Thanksgiving holiday in November 2022.
“I had an API with trade-enabled access to my portfolio,” he said. “My greatest fear was realized on Thanksgiving morning when I started seeing 1000s of trade alerts happening on my portfolio.” Pena said he deleted the API before the thieves drained all of his funds.
Pena says he took to Google to research what happened to him and found that he was not the only one to experience what he did. Pena says he is working with others who say the same thing happened to them.
So far, Pena says he has had face-to-face interviews with nearly 60 individual users who report unauthorized transactions using 3Commas’ API.
He says that several of the people he spoke with have taken the step of going to law enforcement about the matter. Using his background in cybersecurity forensics, Pena says he was able to reverse engineer the attack on his account. He then took that information to contacts in the U.S. Secret Service.
In December 2022, a crypto trader who goes by CoinMamba took to Twitter to say that their Binance was compromised due to a leak of the 3Commas API key, which led them to lose funds.
Hey guys. Unfortunately two days ago my Binance account got exploited through an API which I’ve created 2 years ago and haven’t used since which I assumed I deleted but apparently didn’t. It was used to make trades on low cap coins to push up the price to make profit.
— CoinMamba (@coinmamba) December 8, 2022
The tweet led to several exchanges between CoinMamba and Binance CEO Changpeng “CZ” Zhao, which ended with CoinMamba’s Binance account being closed.
“The only common denominator here is 3Commas,” Pena said.
Though Pena is confident that there is an issue with 3Commas software, he did acknowledge that some of the problems stem from traders forgetting about and leaving APIs attached to their accounts.
“Most people forget,” he said. “Setting up APIs isn’t something that you do quite often. Most people have only ever had one API associated with their portfolio.”
Pena tells Decrypt that other affected traders are also looking at their legal options and are working with law enforcement.
Stay on top of crypto news, get daily updates in your inbox.
Source: https://decrypt.co/117826/3commas-api-dispute-highlights-risks-of-algorithmic-trading