3Commas denies that staff members stole API keys

Crypto trading company 3Commas has denied that its employees stole users’ API keys, claiming that screenshots circulating on social media are false and urging affected users to file police reports to prevent the perpetrators from stealing their money.

In a blog post published on December 11, 3Commas co-founder and CEO Yuriy Sorokin said that fake screenshots of Cloudflare logs are circulating on Twitter and YouTube “in an attempt to convince people that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to the data of the users and log files”. The alleged screenshots pretend to show how client API keys were exposed in the 3Commas control panel on Cloudflare.

In another blog post, on December 10, Sorokin encouraged affected users to file a police report to have their exchange accounts frozen. “The faster this is done, the faster exchanges can freeze perpetrators’ accounts to prevent funds from being withdrawn and increase the likelihood that some or all of the funds will be returned to victims.”

Since most crypto exchanges follow Know Your Customer standards, users are required to provide identity details to trade or withdraw funds. If affected users provided a police report, exchanges could share this information with investigators, the company noted.

What reported Per Cointelegraph, a cryptocurrency trader calling himself CoinMamba on Twitter shut down his Binance account after complaining about the loss of funds. The leaked API key was linked to a 3Commas account. Both Binance and 3Commas deny any responsibility for the incident.

3Commas claims to have identified evidence of phishing attacks as a “contributing factor” to the thefts. According to for the company, the phishing attacks began in October, with bad actors trying different techniques. Sorokin stated:

“Furthermore, we have strong evidence that phishing was, at least in part, a contributing factor; we posted a blog article here showing many fake 3Commas websites that were created and some are still active on the Internet, despite our best efforts to remove them. down.”

The company is disabling Exchange API connections that are older than 90 days.