FTX users get drained millions in 3Commas API Exploit

Key Takeaways

• 3Commas and FTX conducted a probe into unauthorized trades for DMG crypto trading pairs on the FTX exchange
• Hackers used new 3Commas accounts to perform the DMG trades, but the API keys were not taken from 3Commas but from a fake phishing website.

Leading crypto trading bot provider 3Commas issued a security alert after an FTX user discovered that his account using the 3Commas API, has traded the DMM: Governance token over 5,000 times, leading to the loss of about $1.6 million worth of assets.

3Commas and FTX conducted a probe into unauthorized trades for DMG cryptocurrency trading pairs on the FTX exchange. Both the crypto firms identified that hackers used new 3Commas accounts to perform the DMG trades adding that “The API keys were not taken from 3Commas but from outside of the 3Commas platform.”

Hello Ftx, My name is Bruce and I am one of the victims of the 3Commas API exploit on FTX.I lost about 1.5 million USD in the attack(counting the market value of BTC).It happened on 21th in Beijing time. pic.twitter.com/sttAJnoRAU

— desertpower (@littlesand2) October 22, 2022

“To reiterate and clarify, there has been no breach of either 3Commas account security databases or API keys. This is an issue that has affected multiple users who have never been customers of 3Commas, so there is no possibility that it is a leak of API keys originating from 3Commas”, 3Comma’s official statement reads.

We investigated reports that some user accounts were compromised and investigated with FTX – we found the issue is likely related to Phishing, please read more here: https://t.co/ivdHo0IdEj pic.twitter.com/pmosstfrGi

— 3Commas (@3commas_io) October 21, 2022

Detailing how the hack took place,3commas states that several fake 3Commas websites were used to “phish” 3Commas users by copying the 3Commas web interface. This was followed by capturing API keys from 3Commas users that had accidentally used the fake website to try and connect their exchange accounts.

Later, the API keys were stored by the phishing site and used to place unauthorized trades on the DMG trading pairs on FTX. At first, when reports of unauthorized trades started surfacing, 3Commas denied any leaks from its end.

“This matter is being looked at as a top priority right now at 3Commas. We have the highest security with 2FA and OTP on login etc., to ensure that user accounts are always secure. We are in touch with the user to ensure they get all the support needed,” 3Commas had said.

The crypto firm suspect that 3rd party browser extensions or malware may also have been used owing to the scale and sophistication of the attack. Currently, FTX users are provided with the option to create a new API key on FTX and link it to their 3Commas account to ensure no disruption to active trades. 3Commas is now working with the affected users to provide assistance and gather more information about the hackers.