3Commas legal statement in regard to violated API keys 

10 MIN

Over the past month, there have been a few incidents of unauthorized trades on our partner exchanges. It is our best current understanding that users’ API keys were accessed through a variety of phishing and input-stealing methods. 

As we have already explained in our different Blog posts (https://3commas.io/blog), on 20th October, 3Commas team was alerted of unauthorized trading activity on multiple exchanges. It is our best understanding at the present time that a third party executed an attack on exchanges by utilizing API keys stolen from users and also potentially compromised the security of users’ personal computers via malware and browser extensions to access their files where their keys were stored. 

Even though some individuals have argued that the API keys have been stolen as a fault of 3Commas, we can assure you that to our best current knowledge the incidents did not occur due to the fault of 3Commas. On the basis of the information that we have today, we have found that no encryption protocols have been found to be compromised and no breaches of 3Commas' account security databases have occurred. According to our best current knowledge, if a third party got access to the users´ API keys, that happened outside of the 3Commas system. Consequently, as we are aware of, there has been no violation of 3Commas Terms of Use from 3Commas´ side. The fact that 3Commas has not “leaked” any API keys is also evident from the fact that many of the victims were not 3Commas customers but used some other trade automation service. 3Commas software platform worked exactly as intended for an automatic trading tool. The fact of the matter is that the tool was abused by malefactors. As soon as the malicious activity was detected, 3Commas took the measures available to 3Commas in order to limit and stop this attack and prevent any further cases from occurring as much as possible. Only a miniscule fraction of users reported abnormal activity to 3Commas. 99.9% of the API keys owned by 3Commas users have not been impacted by the attacks. During the investigation we did not find any common denominator between these attacks – the affected clients had different API key connection times as well as different deposit patterns and sizes. All this indicates that this is a sophisticated multi-month phishing attack executed by a criminal organization targeting individual crypto traders. 3Commas is not liable for the alleged loss of those users’ assets and/or possible damages. We have explained and stipulated that in our Terms of Use, please see also Sections 4.2.2, 4.2.3, 18.2, 18.3 and 19.2 accordingly. 

Phishing can take many forms, from fake copies of the service providers’ websites, including the 3Commas website (which we have found evidence of at least 19 fake websites between July and November 2022), malware, malicious website scripts that take control of the clipboard on your PC and look for API keys, secrets, wallet addresses and also malicious browser extensions etc. We are constantly monitoring and reporting the phishing websites pretending to be 3Commas in order to minimize the risk for our clients.

Since 20th October 2022, 3Commas has made numerous Blog posts warning our users of phishing attacks and we have been asking our users to be alert and safe. Additionally, we informed our users via email on steps to proactively enhance their security. However, even on the 18th November 2022 we received tickets from users where they provided us with a screenshot of the website that they are using, thinking it to be 3Commas website, but in reality, they were using a phishing website. The day before, on 17th November 2022, 3Commas made a security notification (https://3commas.io/blog/security-notification-update-your-api-keys) providing our users with a secure system for connecting API keys. Regardless of that, some users have not been following the instructions provided in the security notification and are still connecting their API´s to a phishing website. This is just one example of the reports that we are receiving.

Unfortunately, there have been a lot of misleading and unverified information that people, and even other market participants, have spread without proper knowledge, but probably in some cases also acting in bad faith, just to misinform others and harm 3Commas and/or other market participants unfairly. In some extreme cases users have been even blackmailing and threatening to spread false information. 

We understand users’ frustration and we are more than happy to help and assist the authorities to catch all the bad actors and perpetrators. For all users that have been affected by the third-party attacks, 3Commas has and still is advising these users to contact law enforcement authorities in their home country and/or in Estonia. Law enforcement authorities can help these users to resolve the fraudulent schemes and collect information from 3Commas and our trading partners. By contacting the law enforcement authority in your home country, the authorities are able to file a request of cooperation and information with the Estonian Police. At this stage, 3Commas is awaiting contact from the Estonian Police with regard to the users´ cases. 3Commas will, of course, cooperate in good faith and we will reply to authorities’ requests as prescribed by law to help them with their possible investigations in order to identify the party/parties behind the attacks. 

We are continuously working with our partner exchanges in order to optimize our services. For example, after the first incidents were made known to 3Commas, despite the fact that it restricts the functions of 3Commas´ platform, 3Commas disabled the possibility of adding exchange accounts with the same API keys to multiple users. Nevertheless, it should be noted that, according to our knowledge ,with most of the market participants there is still the possibility to add other accounts with the same API key. Moreover, at the request of FTX, 3Commas chose not to accept connections to any new FTX accounts using API keys or secrets directly, but connections through Oauth were chosen to be supported. On 17th November 2022 3Commas notified our customers that 3Commas had engineered a new security upgrade to the API management system by using a cutting-edge cryptographic solution to create a fully isolated environment where the keys cannot be exported or reused. In the same 17th November 2022 notification 3Commas urged partner exchanges to offer Fast Connect to utilize that feature for enhanced security. Therefore, even though 3Commas had not found any breaches of the account security or API encryption systems of either 3Commas or our partner exchanges, 3Commas is working tirelessly in order to enhance our users´ account security. 

To our partner exchanges we would like to stress that whenever they notice unusual activity on a dormant token, or whenever they notice irregular exchanges on their users´ accounts, then they should take swift steps to investigate and stop the attacks before they happen. On our part we are doing our best to identify such signs and to notify our partner exchanges. 

3Commas would like to emphasize that we are looking at each user's ticket on a case-by-case basis. This also means that in order to reach any conclusions, we do require time and ask for our users´ patience. Our users´ account security is our greatest priority, hence we are taking the utmost care when approaching each user's case.

As 3Commas is working out new cutting-edge means to enhance our users´ account security, we acknowledge that this is possible only if we receive our users´ feedback. Therefore, we are grateful to the users who have given us their valuable feedback.

3commas has concluded rigorous and extensive investigations into its security systems, working day and night in order to conduct them comprehensively. However, should any new information come to light, then we are open for further investigations. Once again, 3Commas is dedicated to identifying the bad actors and working with law enforcement authorities to do so. Currently, it is 3Commas´ name and reputation that is being unfairly blamed by some individuals. Thus, 3Commas is greatly interested in helping its users in any way we can.   

We would also like to kindly inform all individuals who are presenting misleading information to the public and/or to other users that it may constitute an offense punishable by the law and it may also incur civil and in some cases even criminal liability. Therefore, we kindly ask all individuals not to provide misleading information to other users and/or the public etc. Providing misleading and untrue information does not help 3Commas or our partner exchanges to resolve the third-party attacks, but rather sows misguided mistrust and even hate towards 3Commas and our partner exchanges who are trying to help the victims of the attack. Therefore, we sincerely hope that the individuals who are spreading or thinking of spreading untrue and baseless accusations towards 3Commas and our partner exchanges reconsider their behavior. 

Free access for 3 days

Free access for 3 days

Full-access to PRO plan

Full-access to PRO plan