Confirming CZ's claims, 3Commas confirms API keys leak but denies insider job
The CEO of Binance, Changpeng Zhao (more commonly known as CZ), warned his Twitter followers that he believes there have been leaks of API keys on the cryptocurrency trade management platform 3Commas.
On December 9th, Binance cancelled the account of a user who reported losing funds and claimed that a leaked API key from 3Commas had been used to manipulate the prices of low market cap coins for profit.
Binance did not reimburse the user and Changpeng Zhao, the CEO, stated that the loss was not verifiable and that if the company compensated for such losses, it would essentially be similar to paying users to lose their own API keys.
On December 11th, the CEO of 3Commas, Yuriy Sorokin, published a blog post denying allegations that the company had poor security and that employees were stealing API keys. Sorokin claimed that fake screenshots were being circulated on social media platforms and provided a technical analysis refuting the authenticity of these images.
Sorokin stated that the person who created the screenshots did a good job with HTML editing but made mistakes that proved their claims were fake.
There were initial reports of security issues at 3Commas in late October when the FTX exchange issued a security alert about unauthorised trades involving the DMG coin on its platform.
It was later discovered that hackers had created 3Commas accounts to carry out these trades, but according to 3Commas, the API keys used were not obtained from within the 3Commas platform but rather from an external source.
In a later blog post, Yuriy Sorokin, the CEO of 3Commas, acknowledged that there is evidence that phishing was at least partially responsible for some user losses. Additionally, a Twitter user has claimed that all of 3Commas' API keys have been leaked.
At the time of writing, Yuriy Sorokin, the CEO of 3Commas, has confirmed that there has been a leak of API keys, but no evidence was found to suggest that the leak was an insider job.