3Commas Incident - Phishing Attack Or Leak?

Alleged 'phishing attack' victims suspect security issues in 3commas infrastructure and raise lots of valid questions. Two weeks have passed without further comment from the CEO Yuriy Sorokin.

3commas is a company that offers trading bots/automated trading solutions. Those can be connected directly with the exchange account of the customer in order to execute trades on the users behalf. They are working with exchanges like Binance, Coinbase, formerly FTX.

It was founded in 2017, CEO is Yuriy Sorokin, and there were two funding rounds:

In November 3 Series A (Alameda Research) and in September 22 2022 Series B (Alameda Research, Dmitry Tokarev, Jump Crypto, Target Global). On this note, Target Global is also invested in the company ‘Copper’, which is run by D. Tokarev. I don’t have to mention that the Alameda connection could be of interest.

As described earlier, the main business of 3commas is trading bots that execute trades on selected exchanges (Coinbase, Binance, and until recently FTX) on behalf of the client. In order to execute the trades in the form 3commas needs the API key of the customer from the respective exchange. Only with this API key trades can be executed.

3commas Users Report Compromised Accounts; Millions of USD Lost

In October, customers of 3commas had to realize that their accounts were compromised. It is about damages in the six-digit range and more; per customer. Coindesk quoted in an article one of the victims who suffered a damage of $200,000:

“There were dozens and dozens and dozens of trades. Basically, they used my API details to sell all of my assets into a low-cap, low-liquidity coin.”

So far, the number of victims seems to be limited, but the cumulative damage is considerable.

Shortly after, it turned out that the exchange accounts were compromised via 3commas API keys; this was confirmed by Binance and Coinbase employees.

Also CZ commented on the issue, on November 14 2022:

CZ 🔶 Binance @cz_binance

We seen at least 3 cases of users who shared their API key with 3rd party platforms (Skyrex and 3commas), and seen unexpected trading on their accounts. If you used such a platform before, I highly recommend you to delete your API keys just to be safe. 🙏

1:59 AM ∙ Nov 14, 2022

---

In the meantime, voices in the community were hinting at a leak at 3commas. The explanation of a phishing attack is simply inadequate. There are too many inconsistencies and questions that no one at 3commas seems to have an answer to, or doesn't want to be given one.

But there are a lot of questions; especially when 3commas ‘final comment’ on the issue reads like this:

3commas CEO Yuriy Sorokin on November 19 2022:

3commas Ignoring Questions, Increases Probability Of Leak Theory

Twitter User Shaif already dedicated a lot of time to shed more light on the whole situation but is getting ignored, none of his questions that he asked got answered.

Some of them were regarding the situation in general, the suspicious circumstances (victims hit the same way; funds used to trade on the same pairs; all victims with six-figure funds+ in the account), how the alleged phishing attack can’t be a possible explanation for what happened, 3commas handling of the API keys, and more - you can read them all here.

He showed his disappointment today on Twitter:

Shaif @Shaifing

🧵 @YS_3Commas @3commas_io You're taking way too long to reply to my inquires after you conveniently decided to close the chat group with all the affected users citing so let's take this public because I'm tired of waiting. It's been over ten days! @cz_binance @0xLuki @zachxbt

1:25 PM ∙ Dec 3, 2022

---

Time that he and the other victims are getting heard! The official explanation is deeply flawed:

console_logger @LoggerConsole

@YS_3Commas @cryptonator1337 What happened then? How did hackers get access to an 18-month old API key/secret combination that was entered into your site exclusively 18 months ago? The secret was NOT written down anywhere. The only entity that had access to my secret (outside of Coinbase itself) was 3commas

5:07 PM ∙ Dec 3, 2022

‘Questionable’ Behaviour from CEO Sorokin - Calls Victim ‘Idiot’ on Twitter

In the comments we find Yuriy Sorokin, CEO of 3commas. But not because he wants to clarify things or answer on questions; just to say that they are working on ‘legal options’; while chat protocols also show that lawyers got involved on answering any questions a while ago already.

Oh yes, and he is calling a victim an ‘idiot’; this alone is a huge red flag, no matter what else happened. Just saying.

This is not how a ‘proven leader, successful at establishing operational excellence’ would react to legit questions regarding his companies’ operations, isn’t it?

Phishing or Leak? It Smells Fishy!

The official version of 3commas, that the victims were victims of a phishing attack, is more than unlikely in my opinion.

The timing, the fact that all victims had a higher amount of funds ready, the silence on the part of 3commas ... something is not right here at all. Also the behavior of the CEO does not exactly promote trust in the company.

Was 3commas hurt by the downfall of Alameda Research, the main investor? Was it not a phishing attack but a leak of API keys and possibly even an inside job?

I will update this article in the future if new material is available. You are always welcome to get in touch if you have something to share!