3Commas CEO confirms API key leak following warning from CZ

Binance CEO Changpeng Zhao (CZ) warned his 8 million Twitter followers on Dec. 28 that he is “reasonably sure” that API key leaks are taking place at the cryptocurrency trade management platform.

The disclosure by CZ followed an incident on Dec. 9, when Binance cancelled the account of a user who complained about losing funds a day earlier. That user claimed a leaked API key tied to 3Commas was used “to make trades on low cap coins to push up the price to make profit.” Binance declined to reimburse the user. CZ tweeted that the loss was unverifiable, and if the company made up for such losses “we will just be paying for users to lose their API keys.”

On Dec. 11, 3Commas CEO Yuriy Sorokin claimed on the company blog that fake screenshots were circulating on Twitter and YouTube purporting to show the company had lax security and that employees were stealing API keys. Sorokin denied the allegations in an in-depth technical analysis of the images:

“The person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. We’ll go through those point by point.”

Security issues first arose at 3Commas in late October. At that time, the still-functional FTX exchange issued a security alert in response to reports from users of unauthorized trades of trading pairs with the DMG coin on FTX. 3Commas and FTX determined that hackers had created 3Commas accounts to perform the trades. However, according to the 3Commas blog, “the API keys were not taken from 3Commas but from outside of the 3Commas platform.”

Related: How Binance is protecting its users with responsible trading program

In a subsequent blog post, Sorokin acknowledged that “we have hard evidence that phishing was at least in some part a contributory factor” in user losses.

In the meantime, a Twitter user has alleged that all of 3Commas’ API keys have been leaked.

Now, Sorokin has confirmed the leak, addin that no proof was found that the leak was an inside job.