Three hours after putting its users on high alert because of an alleged security breach, 3Commas put an end to rumors that its automated crypto trading bot had been hacked.
After getting tips from different users, the company said on Friday that it had found several API keys being used to make unauthorized trades for the DMG cryptocurrency trading pairs on FTX. Also, it was said that traders who have never used 3Commas were affected by what seemed to be a “3rd party phishing or hacking attack of some kind.”
According to the company, the hackers tried to access its users through several fake 3Commas web interfaces that were made to steal API keys from 3Commas users who tried to connect their FTX exchange accounts. The fake website then saved the API keys, which were then used to make illegal trades on the DMG trading pairs on FTX. As a safety measure, FTX and 3Commas had marked accounts with suspicious activity and turned off the API keys, which could have been hacked.
But after a joint investigation with FTX, the company found that “the API keys were not taken from 3Commas but from outside the 3Commas platform.” This means that neither the account security databases nor the API keys were affected by the breach.
“The theft happened outside of the 3Commas system, most likely through a phishing attack on fake websites made to look like the 3Commas interface,” the company said in an update on Sunday. “Both 3Commas’ account security and API encryption systems and our partner exchanges’ account security and API encryption systems have not been broken.”
But the company said that only three users were affected by the phishing. And while 3Commas hasn’t said how much money the victims lost, Sam Bankman-Fried, CEO of crypto exchange FTX, said in an update on October 24 that the number is likely around $6 million.
Fried said that it was company policy for users to carry their own cross in phishing cases, but in this case, FTX had decided to pay the three victims. “We can’t make up for users who get phished by fake versions of other companies in the space! But in this case, we will pay the users who were affected. THIS IS A ONE-TIME THING, AND WE WON’T DO IT AGAIN IN THE FUTURE. THIS DOES NOT SET A TREND. We won’t make it a habit of giving money back to people who get phished by fake versions of other companies, tweeted Fried on Monday.
The co-founder and CEO of 3Commas, Yuri Sorokin, also told users to be careful. He gave a list of security protocols that users should look over to lower their chances of falling for phishing attacks.
