Week, a group of traders reported that $22 million worth of crypto had been stolen through compromised api keys linked to 3commas. on wednesday, 3commas admitted it was the source of that api leak. the incident involved 3commas, a platform that allows users to link their multiple crypto exchange accounts to automated trading software, an anonymous twitter user, zachxbt, binance ceo changpeng zhao, 3commas ceo ilya sorokin, and decrypt.
Incident occurred last week, when the anonymous twitter user posted around 100,000 api keys belonging to 3commas users online. 3commas co-founder yuriy sorokin eventually tweeted an apology and confirmation that the data in the files was true. additionally, about a month prior to ftx filing for bankruptcy, sam bankman-fried had agreed to refund $6 million to customers affected by what was described as a phishing scam involving 3commas.
Api keys were leaked through a compromised api, which allowed the anonymous twitter user to access the keys. api keys must not be shared with anyone and must only be used by the owner, as their misuse can result in serious financial losses for users. zachxbt asserted that there were too few incidents for it to have been a 3commas exploit, while binance ceo changpeng zhao tweeted that he was “reasonably sure” there were “widespread api key leaks” from 3commas. 3commas had initially denied any security issue on its end, but eventually admitted to the leak and recommended disabling api keys in 3commas, as well as revoking all the keys that were connected to 3commas.
https://decrypt.co/118094/after-repeated-denials-3commas-admits-it-was-source-for-earlier-hacks