3Commas API Dispute Highlights Risks of Algorithmic Trading

Despite the bear market, cryptocurrency day traders still see opportunities to strike it rich. Many seek out an edge by employing algorithmic trading bots that automatically execute trades at a moment's notice.

There are risks in letting code make snap decisions, however, particularly when granting it access to crypto exchange accounts. A group of investors organizing on Telegram say that they have been the victims of hackers that compromised the Application Programming Interface (API) of the automated trading platform 3Commas to the tune of $22 million.

Users link their exchange accounts to 3Commas to automate trading using exchange API keys. In response to this article, 3Commas co-founder Yuriy Sorokin clarified that hack victims are claiming that his company leaked those exchange API keys, "not that 3Commas has issues with its API."

"That's pretty important," he tweeted.

Pseudonymous Internet Sleuth @ZachXBT said on Wednesday that dozens of users have reported that thieves siphoned funds away through unauthorized trades on their centralized exchange accounts because of the 3Commas API.

"3Commas blames it on ‘phishing’ but I now have verified a group of 44 victims who've had $14.8m in total stolen," ZachXBT tweeted.

In a Google Docs document shared in the Telegram group and viewed by Decrypt, members say the exchanges where the unauthorized transactions occurred include Binance, Coinbase Pro, and KuCoin.

"Users have made complaints across different exchanges,” ZachXBT wrote. “It's clear this is not phishing and API keys were stolen.”

What is an API?

An API is a set of rules that define how two software programs—in this case, a trader's portfolio or wallet and a cryptocurrency exchange—should communicate. APIs are used for various reasons, providing a way for developers to access multiple services and data, and enabling users to interact with different applications through a single user interface.

What is algorithmic trading?

Algorithmic trading uses computer programs, including APIs, to execute trades in financial markets. These programs, also known as trading bots, are designed to analyze market conditions and execute trades triggered by predefined parameters.

One advantage of algorithmic trading is that it allows traders to execute trades quickly without human interaction. Trading bots can be especially useful in fast-moving global markets like cryptocurrency, where manual trading may not be possible.

While algorithmic trading bots can help traders looking for an edge, their use also carries risks, such as potential errors or malfunctions in the algorithm or compromised access to their settings.

An earlier 3Commas scam

In October 2022, then-FTX CEO Sam Bankman-Fried paid out $6 million to FTX traders who were victims of a multimillion-dollar scam, He tweeted that he was prepared to remunerate FTX users affected by a phishing exploit involving 3Commas, but warned that the action should not be considered a precedent or company policy.

He asserted: "We will not making a habit of compensating for uses getting phished by fake versions of other companies!"

A security update published by 3Commas confirmed that API keys linked to newly-created 3Commas accounts were used to execute the unauthorized trades. But 3Commas says the theft of user funds was due to a phishing attack, not their software, and called the claims of API leaks or exploits—then and now—fake and spread by bad actors.

The issue is not about 3Commas API, it is about the safety of API keys of the users stored on 3Commas platform," Sorokin tweeted. "And these API keys are safe."

In a series of blog posts posted to the 3Commas website, Sorokin has repeatedly addressed the claims against the platform.

"In the latest edition to this saga of API keys and attacks on exchanges, we're now seeing individuals on Twitter and YouTube circulating fake screenshots of Cloudflare logs in an attempt to convince people that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files," Sorokin wrote, pointing to a December 10, 2022 tweet that he says claims 3Commas employees are stealing API keys.

The investigation continues

In an email response to Decrypt, 3Commas asserted that "there are no API leaks or exposure of our database," and said that it is working with Google to take down phishing websites trying to copy its platform, which could trick customers into submitting their API keys.

3Commas also wrote that they are working with Binance in "investigating the root cause" and said its own team is "finding a permanent solution to fix the API issue." The company did not respond to a request from Decrypt to explain what API issue required fixing.

Excluding actions by insiders, how would an attacker know who to attack—via phishing or otherwise—and when?

"Normally, my answer would be ‘it depends,’” David Schwed, COO of Web3 security firm Halborn, told Decrypt.

"If an attacker was able to inspect network traffic, they'd be able to obtain some information as to who was making API calls based on either the URL or the originating IP address," Schwed said. "However, in this case, the users of the API were much simpler to ascertain."

"In the developer section of 3commas.io, they have an API chat link to a [Telegram] group with close to 1,000 members,” he explained. “Those members, I'd assume, are all API users."

Edmundo Pena, a cybersecurity professional and algorithmic trader who goes by "Mundy" online, tells Decrypt he had used 3Commas' trading software since 2020 when he first heard about the platform. Around that same time, Pena says he launched his business, Crypto Trading Desk.

Mundy says he has used 3Commas' API on multiple portfolios for just under two years without issue; he first noticed problems with his trading account during the Thanksgiving holiday in November 2022.

"I had an API with trade-enabled access to my portfolio," he said. "My greatest fear was realized on Thanksgiving morning when I started seeing 1000s of trade alerts happening on my portfolio." Pena said he deleted the API before the thieves drained all of his funds.

Mundy took to Google to research what happened to him and found that he was not the only one to experience what he did. Pena says he is working with others who say the same thing happened to them.

So far, Mundy claims to have had face-to-face interviews with nearly 60 individual users who report unauthorized transactions using 3Commas’ API.

He adds that several of the people he spoke with have taken the step of going to law enforcement about the matter. Using his background in cybersecurity forensics, Mundy says he was able to reverse engineer the attack on his account. He then took that information to contacts in the U.S. Secret Service.

In December 2022, a crypto trader who goes by CoinMamba took to Twitter to say that their Binance was compromised due to a leak of the 3Commas API key, which led them to lose funds.

The tweet led to several exchanges between CoinMamba and Binance CEO Changpeng "CZ" Zhao, which ended with CoinMamba's Binance account being closed.

"The only common denominator here is 3Commas," Mundy said.

Though Mundy is confident that there is an issue with 3Commas software, he did acknowledge that some of the problems stem from traders forgetting about and leaving APIs attached to their accounts.

"Most people forget," he said. "Setting up APIs isn't something that you do quite often. Most people have only ever had one API associated with their portfolio." Mundy tells Decrypt other affected traders are also looking at their legal options and are working with law enforcement.

Editors note: This article has been updated to clarify that the API keys involved were issued by exchanges, and to further incorporate responses Sorokin published on Twitter.