KEY POINTS

  • An anonymous Twitter user claimed they have gotten around 100,000 API keys that belong to 3Commas users
  • 3Commas CEO later admitted the API keys leak is true after the exchange denied it for days
  • Victims of the hacks caused by the leak API keys are now demanding refund

For days, 3Commas, a cryptocurrency exchange platform, insisted that victims who reported unauthorized trades on their accounts fell prey to scammers who conducted phishing attacks and not because of the alleged API keys leak, but on Wednesday, the exchange's CEO said he was "sorry" that the issue "has gotten this far."

"We saw the hacker's message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas," 3Commas CEO Yuriy Sorokin said on his official Twitter account.

"We did everything that we could to investigate an inside job, as it was always a possible scenario and on our watch list, but proof of an inside job was not found," the executive added, noting that "only a small number of technical employees had access to the infrastructure and we have taken action since November 19 to remove their access."

Sorokin also assured customers that 3Commas has implemented "new security measures" and will launch "a full investigation involving law enforcement."

The CEO further said, "We are sorry that this has gotten so far and will continue to be transparent in our communications around the situation."

Sorokin's statement surfaced after an anonymous Twitter user claimed they have gotten around 100,000 API keys that belong to 3Commas users and will eventually publish them online.

A Twitter user and on-chain sleuth who goes by the handle @zachxbt confirmed the leak and later sarcastically told 3Commas: "Congrats you morons are what's wrong with the space."

Now, the biggest question is, how did they get a hold of over 100,000 API keys of 3Commas users?

A Pastebin post, presumably made by those who have the API keys, claimed that the crypto exchange allegedly sold users' data to the highest bidder and not a result of a code exploit. To prove that they have the said API keys, they shared a small amount of data on the leaked API keys and noted that they will publish 100,000 more keys soon.

"Trade APIs provided by 3commas staff. We have the whole database. We will be leaking it when we are done filtering your personal information, so people don't get doxxed, we will only release the API keys," read the post, which has since been removed.

Victims of the hacks, which were caused by the leaked API keys, called for refunds and an apology from the company for denying the whole fiasco earlier.

apple-692186_19201
Representation. Nicholas Faber, 25, was sentenced to three years in federal prison after he used college students' school emails to hack their social media accounts and steal nude photos. Pixabay
Read more