44 Traders Lost $14.8 Million In 3Commas Debacle: Report

Summary:

• On-chain sleuth ZachXBT discovered a group of 44 traders with complaints against crypto trading software 3Commas.
• The traders lost $14.8 million across centralized exchanges like Binance, FTX, and OKX due to stolen API keys, per Zach’s analysis.
• 3Commas denied leaking users’ API keys and claimed phishing attacks were partly responsible. 

At least 44 traders who leveraged trading bot 3Commas for automated cryptocurrency trading lost a total of $14.8 million following unauthorized transactions on centralized exchanges (CEX) like Binance, FTX, and OKX to name a few, per ZachXBT’s Tuesday threads.

The on-chain sleuth discovered a group of 44 persons with complaints against the automated trading software company. A group is also pushing for a class action lawsuit against the trading software developer, said ZachXBT. 

1/3 Over the past couple of weeks a number of @3commas_io users have reported unauthorized trades on their CEX accounts.

3Commas blames it on “phishing” but I now have verified a group of 44 victims who’ve had $14.8m in total stolen. pic.twitter.com/49K28a5Pf8

— ZachXBT (@zachxbt) December 20, 2022

In November, Binance CEO Changpeng ‘CZ’ Zhao tweeted that at least three users with accounts on Binance were affected. Users were told to revoke any third-party access to avoid further losses.

3Commas said the funds were stolen due to a mix of compromised API keys and phishing attacks. The company stressed that employees did not steal or sell user keys as a response to mounting criticism from the public.

Also, we have hard evidence that phishing was at least in some part a contributory factor; we published a blog article here showing many fake 3Commas websites that were created and some are still live on the internet, despite our best efforts to have them taken down.

3/3 A group is currently organizing a class action lawsuit so if you’ve been effected please leave a comment below.

— ZachXBT (@zachxbt) December 20, 2022

3Commas, Binance, and CoinMamba 

On December 8, a pseudonymous 3Commas and Binance user known as CoinMamba on Twitter alerted their followers to an exploit. Funds were stolen from CoinMamba’s account due to an API submitted to the trading bot, the thread explained.

Friction erupted between CoinMamba and Binance after the user accused Binance of refusing to help with recovery. Binance CEO CZ noted that the exchange cannot verify who stole the API keys as users leveraged third-party software. 

Have talked to Binance support and so far they are refusing to do anything to help me with the situation, saying that is my fault. Not sure how the API was leaked, and whose fault is this.

— CoinMamba (@coinmamba) December 8, 2022

Mamba, there is almost no way for us to be sure users didn’t steal their own API keys. The trades were done using API keys you created. Otherwise we will just be paying for users to lose their API keys. Hope you understand.

— CZ 🔶 Binance (@cz_binance) December 9, 2022

Binance eventually restricted CoinMamba’s account to withdrawals only as a resolution could not be reached.  Users are advised to delete third-party APIs from their crypto exchange accounts (NOT FINANCIAL ADVISE!)