An anonymous Twitter user has obtained around 100,000 API keys belonging to users of the crypto trading service 3Commas. The leaker published over 10,000 of the keys on Wednesday and says the rest “will be published full [sic] randomly in the upcoming days.”
3Commas CEO Yuriy Sorokin confirmed the authenticity of the leak in a tweet on Wednesday, adding that "as an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the [API] keys that were connected to 3Commas."
The leak comes after dozens of users of 3Commas claimed that their API keys were used to execute trades on exchanges such as Binance, KuCoin and Coinbase without their consent. As previously reported, 3Commas confirmed that users lost at least $6 million to attackers starting in October, but that sum has at least doubled in recent weeks according to users.
CoinDesk is not linking to or naming the pseudonymous leaker's Twitter account because doing so could further expose sensitive private information.
3Commas initially told its users' losses resulted from phishing attacks, but those users – over 50 of whom have organized themselves into Telegram group chats – have insisted that their credentials must have been leaked by 3Commas or an exchange like Binance or Coinbase.
Wednesday's data dump is the clearest evidence yet that the credentials were leaked rather than phished. Multiple 3Commas users confirmed to CoinDesk that they were able to find their API keys among those that were shared by the leaker.
In his tweet, 3Commas' Sorokin noted that he and his company "did everything that we could to investigate an inside job, as it was always a possible scenario and on our watch list, but proof of an inside job was not found."
Before 3Commas made its statement, Binance CEO Changpeng Zhao cautioned users on Wednesday afternoon that "If you have ever put an API key in 3Commas (from any exchange), please disable it immediately."
3Commas allows users to set up trading bots that automatically execute trades on their behalf on third-party crypto exchanges. Those exchanges generate API keys, and users plug those keys into 3Commas in order to grant the app access to their accounts. The API keys included in this week’s leak were, according to the leaker, generated on Binance and KuCoin.