The chief executive of the crypto trading platform 3Commas, Yuriy Sorokin, confirmed Wednesday that a set of 100,000 application programming interface keys published on Twitter by an anonymous user had in fact been obtained from its service.

This announcement followed reports last week that a group of traders had discovered they had become victims of a hack for about $22 million through using 3Commas service.

The service allows users to set up trading bots that automatically execute trades on their behalf on cryptocurrency exchanges. Users link their 3Commas accounts to the service using API keys with the exchange to automate trades, and if those keys are stolen, it opens up their accounts to potential attack. That’s because with access to the API key, an attacker can execute trades, move currency and more.

When losses were initially reported, Sorokin asserted that there was nothing wrong with 3Commas security and that there must have been a phishing attack that caused users to give up their API keys.

However, Wednesday the apparent attackers claimed to leak 10% of the total stolen API keys and said that they intended to publish the rest in the following days. In the wake of that publication, Sorokin acknowledged that the APIs came from 3Commas.

After examining the API keys, Sorokin and 3Commas warned users that they should disable their keys with any exchanges that are connected to the service, such as Binance and Kucoin. That would make it impossible for any attackers to manipulate their cryptocurrency on those exchanges using the stolen API keys.

1. Statement from 3Commas:

We saw the hacker’s message and can confirm that the data in the files is true. As an immediate action, we have asked that Binance, Kucoin, and other supported exchanges revoke all the keys that were connected to 3Commas.

— Yuriy Sorokin (@YS_3Commas) December 28, 2022

“We have seen the hacker’s message and can confirm that the data in the files is true,” Sorokin posted on Twitter as part of a statement from 3Commas. “As an immediate action, we have requested that Binance, Kucoin and other supported exchanges revoke all keys that were connected to 3Commas.”

The company also said that it investigated the possibility that it could have been an inside job and found no evidence to support that.

“Only a small number of technical employees had access to the infrastructure and we have taken steps since Nov. 19 to remove their access,” Sorokin added. According to the statement, the company will also be involving law enforcement in the investigation.

Before the statement from 3Commas, crypto exchange Binance CEO Changpeng “CZ” Zhao warned users on Wednesday that he was “reasonably sure” of “widespread API leaks” from 3Commas and that users should disable their keys immediately.

Jason Kent, hacker in residence at Cequence Security Inc., told SiliconANGLE that the challenge with this breach is the API keys aren’t for the platform that had the breach, rather they’re for other platforms where tasks need to be performed. “This causes some serious issues with clean-up,” he said.

Typically, he explained, the keys would all be flushed and invalidated, and new keys would need to be generated. But because the API keys aren’t owned by the 3Commas platform. the breach bleeds over to other platforms. Those platforms, because they weren’t breached, aren’t as eager about getting the keys removed.

That leaves difficult questions, he added. “Did they notify everyone they need to? Are they able to validate the keys are in fact gone and regenerated?” he said. “This is going to be a difficult bit of work to police and ensure everyone is going to be safe.”

Image: Marco Verch