Analytics

Market analysis, price predictions, and expert opinions in one place.

Fake screenshots are being circulated claiming employees stole API keys

In the latest edition to this saga of API keys and attacks on exchanges, we’re now seeing individuals on Twitter and YouTube circulating fake screenshots of Cloudflare logs in an attempt to convince people  that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files. Specifically, this tweet from the 10th of December claims 3Commas employees are stealing API keys.

The person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. We’ll go through those point by point.

You can also refer to our December 10th article where we broke down all the details we can make public about our investigation into any potential breach of 3Commas systems, and what we know about the attacks on our exchange partners.

Update on investigation into API keys and attacks on exchanges

We’d like to address some frequently asked questions and concerns raised from users affected by the attack on exchange APIs. If you haven't heard about it, a number of users of Binance, OKX, FTX and some other exchanges have experienced unauthorized trades initiated via API keys.

Please note, that we cannot respond with specific details for individual cases as the answers will not be applicable to every user or the exchange account affected by this issue. We are not trying to be vague, but each case is truly unique. There is no single commonality that unites every individual affected other than the unauthorized trading activity.

We’d also like to take a moment to empathize with every person that has been impacted by this issue; it has caused financial harm not only to those affected but also damage to our trading community.

Update December 11th: individuals on Twitter and YouTube are circulating fake screenshots claiming 3Commas employees stole API keys. These are baseless accusations. Here's a blog post showing proof from our side.


Questions regarding the timing of the attacks on affected exchange accounts

With regards to the timing of the attacks, we can only speculate about this as  only the perpetrators know. It is possible that API details were gathered over an extended period of time and then the perpetrators waited for the market to slow down and provide a window where many trading pairs were illiquid and easier to manipulate. 

If the perpetrators are part of a sophisticated criminal organization, then it is  probable that they were extremely patient until they felt they had gathered enough API keys and for the most opportune time to strike.

This is why it is vitally important that affected users file a Police report with their local Police service or Cybercrime units. The faster this is done, the faster exchanges can freeze the accounts of the perpetrators to stop funds from being withdrawn and increase the likelihood that some, or all, of the funds may be returned to victims.

Additionally, exchanges in most cases require KYC to trade or withdraw funds, therefore the perpetrators’ identity details are available from the exchange for the Police to follow up during their investigation.

The longer the delay in the creation of a Police report, the more time the perpetrators have to withdraw the funds and disappear. 

3Commas hopes that law enforcement authorities will be able to provide us with a more comprehensive analysis based on information that only exchanges can provide about the attackers. Only they have the resources necessary to track the full network of criminal activities. 

Why did 3Commas ask so many questions to users affected by this issue?

We wanted to  gather information from affected users to determine if there were any details that affected users had in common. A more detailed explanation of all the questions we asked affected users can be found later in this article.

We tried to ascertain if a pattern could be established so we could share it with our exchange partners, law enforcement authorities, and potentially take proactive steps to protect other users at risk.

Unfortunately the information gathered did not show any pattern or link between the reported cases.

We asked users for examples of the ClientOrderID numbers from unauthorized trades for 2 purposes:

  1. To confirm if the orders were placed via the 3Commas platform
  2. To verify the integrity of the 3Commas databases (if orders were placed via 3Commas, then the perpetrator may have deleted logs etc.)

3Commas stands by previous statements that, to the best of our knowledge, there has been no breach of security encryption mechanisms or databases. 

Furthermore, if a breach had occurred then all API keys would be compromised, including all linked accounts from individual users. The large number of high net-worth individuals using 3Commas who haven’t been affected, despite being ideal targets, is a further indication that it wasn’t a vulnerability in our system.  

I know I wasn’t phished!

We’ve received many questions from affected users that claim the attack could not have been due to phishing and therefore must have been due to a “hack”. 

The term phishing was initially created to refer to fraudulent emails sent to trick users into visiting malicious websites that often imitated legitimate businesses, like PayPal, and attempted to steal user log-in credentials. 

Over time, phishing has evolved to incorporate new attack vectors, such as paying to advertise imitation websites high in search engine rankings or to incorporate malware as part of the attack. Also, phishing has been known to target specific groups of people, high net-worth individuals or even companies (known as “Spear phishing” or “Whale phishing”), more information on the various forms of phishing can be found here: https://www.phishing.org/phishing-techniques

Also, we have hard evidence that phishing was at least in some part a contributory factor; we published a blog article here showing many fake 3Commas websites that were created and some are still live on the internet, despite our best efforts to have them taken down:

https://3commas.io/blog/response-to-false-rumors-api-leaks

Several users have asked 3Commas to prove how they were phished or compromised. We are simply communicating what the current evidence is telling us is the most likely source of the attack. If you want to know for sure, then you must file a police report, because law enforcement, particular the national agencies, have cybercrime units that may be able to recover forensic information that only they can legally obtain. 

With any financial crime, the truth is found by following where the money went. This is where contacting the exchange where unauthorized trades took place is critical. They will have the transaction record showing where the money was moved. Most importantly, they can share that information with law enforcement. 

 

For example, if malware was used to gather API details from users some time ago, then only a Police investigation of each user’s ISP logs may reveal an internet address or pattern in  common across those affected.

“I want evidence 3Commas hasn’t been compromised”

In this document, we’re detailing all the steps we’ve taken to verify that the keys weren’t leaked from any 3Commas database or service. Please keep reading and you’ll see what we’ve done from our end.  

There are also a number of unexplained factors that are outside of our control:

  • We have reports from people who never connected exchange accounts to 3Commas and yet experienced unauthorized trading activity.
  • Some of the most vocal users on Twitter have been attacking 3Commas saying they had not stored the API keys/secrets elsewhere, which we know to be untrue.
  • Many users affected by the issue have yet to file a report with their local Police service when this should have been one of the very first steps taken if an account was suspected to have been compromised.
  • We also noticed that several people affected by this issue were managing funds on behalf of their clients; in order to do this, the client would need to provide API keys/secrets for their accounts. How were these highly sensitive details transmitted? This alone is a huge security vulnerability.

Additionally, it would be poor security practice to fully  publish our platform’s architecture and encryption mechanisms as it would place our users at risk.


Detailed timeline and information on our investigation

3Commas is the largest bot and trading tools platform, as such our platform generates a huge amount of log information, which takes a lot of time and resources to investigate. 

We appreciate that many users wanted to see a detailed breakdown of events and actions our team have performed and we left no stone unturned and investigated every aspect of 3Commas security and systems.

The information below is a detailed timeline of events, which many users have asked for.

Starting on the 20th of October, our support team started receiving requests from 2 users regarding suspicious activities on their accounts. 

On the 21st of October, the support team escalated the suspicious activity to our technical team. It was found that multiple malicious orders had been placed on the exchange accounts in order to drain the user’s balance with counter-trades, exploiting the user’s funds so the malicious actor could profit. 

For example, the majority of exchange account API keys that we found on the malicious users’ 3Commas accounts were from Binance and had never been added to 3Commas before. The second largest amount of exchange account API keys were for FTX.

A significant number of keys were never connected to, or used with, 3Commas. This strongly corroborates our understanding that almost certainly the attacks were not the result of a database leak. Moreover, the attack suggests that the selection of victims was random, without targeting the highest or lowest deposits on the exchange accounts, for example. 

At this point in the technical investigation, it does not suggest that our systems were compromised.

The “secret” part of exchange API keys never leave our database in a decrypted format. It is never transferred to a user, is not shown in any administrative tool, and can’t be accessed via the 3Commas Developer API by design. If someone could access the database and source code, they would not be able to decrypt the API “secret” keys because it would require a further encryption key that is securely stored within AWS infrastructure. It is accessed by the 3Commas backend when sending requests to exchange accounts on the user’s behalf, such as placing an order for a bot deal.

During our internal investigation, we conducted research in the following directions: 

  • We use Okta to provide access to our internal tools. We’ve checked IP addresses linked to malicious accounts against Okta and other internal audit logs. Whenever an employee accesses our internal systems, information is logged, including IP address. We have cross-checked the logs regarding employees' access and have found no match.
  • Carefully reviewed all code for 3Commas that would have access to or interface with the encryption keys.

Even though we already have strong access controls in place, we proceeded to go even further and conducted a manual review of security and access rights:

  • Reviewed who has access to our analytics (including Google Analytics, Intercom, Amplitude, and others)
  • Reviewed who has access to our database
  • Reviewed who has access to our codebase
  • Reviewed who has access to our administrative tools (which our support team uses to assist customers with their support requests, for example) and additionally, to test if there was any possible way to retrieve exchange API “secret” keys using this interface
  • Reviewed who has access to our infrastructure cluster and our AWS account
  • Checked that our internal services are not available without an authorised corporate VPN
  • Checked who has access to our corporate VPN
  • Checked who has access to our Slack, G-Suite documents and other communication channels (email, JIRA etc.)

We’ve also hired an external security consultant to help us with this investigation.

After conducting the review, we were able to confirm the access controls in place are working as intended. 

On 26th October, we finalized compiling the list of malicious 3Commas user accounts that were used to perform this attack.

We checked the IP addresses used for logging into the malicious 3Commas accounts. Among “VPN” IP addresses, we identified a high number of Russian addresses connected to a variety of Russian cities. 

The first phase of attacks described above mainly happened on FTX. We were in direct communication with FTX up until the recent news regarding their bankruptcy.

After analysis from both sides was completed, 3Commas and FTX came to the conclusion that it was most likely the result of a phishing case. Many of the impacted keys that FTX had identified were never connected or used on 3Commas. 

In cooperation with FTX, it was decided that for the sake of user security, FTX should disable all compromised API keys on their side, and 3Commas should temporarily disable adding FTX keys to the platform.

Also, the 3Commas engineering team has taken additional measures to prevent such attacks from happening in the future. As described above, we’ve disallowed the ability to connect the same exchange API and secret key to multiple 3Commas user accounts.

The second phase of attacks were notably different than the first

On the 31st of October, we received a message from Binance asking for urgent communication regarding abnormal activity on some Binance user accounts: multiple malicious buy and sell orders for the same trading pair were detected.

During the 1st and 3rd of November, we received escalations from our customer support team regarding multiple reports about users seeing abnormal activity on their accounts.

However, the abnormal activity described by affected users was different from the earlier FTX cases, and the vector of attack changed. The abnormal activity described was a result of orders that were NOT created or sent by 3Commas, but by another 3rd party which is still unknown to us. 

”Phase 2” of the attack was happening outside of the 3Commas infrastructure, so our support team requested that affected users provide the following information to help try and understand the situation and whether a pattern could be detected:

  1. Provide us with the ClientOrderIDs of some unauthorized trades from the exchange’s support team and just a 1-page screengrab of some orders that you suspect are unauthorized 
  2. Please provide the first 10-15 symbols of the public API key which you think was compromised and a screenshot of your exchange API key page.
  3. Where and how do you store your passwords and API keys/secrets?
  4. Do you ever use a search engine to find the 3Commas log-in page? If so, which search engine do you use?
  5. What browser and computer do you use? (Name, version)
  6. What extensions or apps are installed for your browser?
  7. Do you use a VPN or Proxy service?
  8. What services or applications have you added (or connected) to your exchange API keys?

On our side, for each case, we’ve checked whether there was any abnormal activity on the 3Commas side, for example, unauthorized trades or suspicious log-ins. During “Phase 2”, there were no such cases.

We also made a further review of our codebase. Validated that no SDKs were changed since our previous review. We also reviewed all the changes made in our codebase during the period between incidents and validated that no changes which could lead to sending exchange account API “secret” key related data to any 3rd parties were made.

3Commas has almost 1 million active API keys in its database. Less than 0.02% of keys were impacted. As of now, 40% of users who initially contacted 3Commas about this attack have been unwilling to cooperate with 3Commas and can not be confirmed as victims. At least 2 cases were confirmed as never having been users of 3Commas in any way, and 2 users also reported one of their exchange accounts was compromised but it had never been connected to a 3Commas account. 

As we lack information from 3rd parties, as well as from competitors, we cannot affirm with certainty the proportion of 3Commas clients that were targeted compared to overall attacks happening throughout the crypto space.

The mechanism of connecting the exchange to 3Commas or any other 3rd party using API keys involves copying the API key/secret pair from the exchange’s webpage. At this point, the most likely scenario is that a malware that has access to a clipboard could grab those keys. Also, any browser extension can access the content of web pages opened by a user and gather this information, too. 

However, we proactively decided to optimize our security even further. Currently, we are working on migrating all our clients’ exchange credentials to a separate service called Sign Center. This is secure storage in a separate and isolated infrastructure environment, with an increased auditing schedule. API “secret” keys are stored encrypted in this service and never leave it. API “secret” keys will be encrypted by an asynchronous cryptography algorithm from the moment that they are submitted in the 3Commas user interface. 

The main feature about this algorithm is that keys are encrypted with a public key, and can only be decrypted with a private key. In practice, this means that API keys will be transported 100% securely on all stages until they arrive at the heavily protected secure environment of Sign Center and can be decrypted only there.

We’ve also been working with our partner exchanges to roll-out Fast Connect and hope to offer this for all supported exchanges in the near future.

Considering all the facts we've laid out here, combined with the information gathered from investigating each individual case, all evidence leads to the conclusion that the attacks were not a result of a leak of user data from a 3Commas database.

Start Trading on 3Commas Today

Get full access to all 3Commas trading tools with free trial period

Weekly Digest: Smart Bot Is Here - Grid Bot Trailing Up - And More! 

Join our OKX Football Futures team!

Market Overview

Some good news this week, the bleeding appears to have stopped or at least stabilized. Still not seeing a lot of coins in the green this week, but AVAX and UNI have made modest gains. Most importantly, Bitcoin is mildly positive over the past week. Everything else in the market usually follows that coin to some extent, so seeing the current support level is good news. 

New Releases

Smart Bot is here! (For paid plans only)
What makes Smart Bot better than our old Gordon Bot? 
Smart Bot seeks to make trades when the market bounces back after a price drop and there is a higher likelihood of making a profit. It scans dozens of coin pairs seeking out trade opportunities and chooses the best one, 24/7. Smart Bot is also, well, smart. It’s continuously self-training and adapting to changing market conditions. 

Try out Smart Bot today

Security Notification - Update Your API Keys

Dear traders, 

Your account security is our greatest priority. Over the past month, there have been multiple incidents of unauthorized trades on partner exchanges. We’ve identified that these users’ API keys were accessed through a variety of phishing and input-stealing methods. 

We’ve engineered a new security upgrade to our API management system. This product will provide users with a more secure way to sign in and obtain API keys from partner exchanges using a cutting-edge cryptographic solution to create a fully isolated environment where the keys cannot be exported or reused. No one but you and the exchange will have access to your encrypted keys. This creates an incredibly strong security layer that will benefit the entire crypto ecosystem. We will try to make this solution free and available to all market participants. 

In conjunction with the above, 3Commas is also working with select exchanges to whitelist IP addresses, which will prevent account access and API usage from outside of 3Commas. 

With your help, we’re fighting back against the bad actors who attacked our users. We have a critical action you can take to assist with this. What we need you to do is delete and reissue your API keys on exchanges you’ve connected to 3Commas. 

Please carefully follow the step-by-step instructions in our collection of API connection guides for each exchange:

API Connection Guides

For exchanges that offer Fast Connect, we strongly recommend utilizing that feature for enhanced security. We are working with multiple exchanges to bring you this service. Here are the partner exchanges that will feature Fast Connect.  

  • Binance (excludes Binance.US) 
  • Deribit
  • OKX (QA stage)

Click here to go to 3Commas

RE: False Rumors of API Leaks or Exposure of our Database

Dear traders, 

 

Many of you have read the recent tweets about 3rd party API and mentions of 3Commas in a negative light. Those tweets refer to the phishing attack that started in October, 2022 and the bad actors are still trying different phishing techniques.  

Right now, what we’re seeing is a lot of fear and uncertainty in the crypto community because people are not getting clear answers, and misinformation is also being spread. I fully understand why users are feeling this pain right now, and my company is doing everything we can to help. If you have any questions, please join the conversations happening on the official 3Commas channels. Communication and transparency are critical right now, and my team is going to answer your questions to the best of our abilities with the most current information.  

I’m going to provide as much clarity as I can, with the goal of assisting 3Commas users, and the crypto community as a whole, with understanding what these attacks are and how we can stop them. A total of forty-eight confirmed 3Commas customers out of our active user base of over 100,000 have been affected.

We’re currently conducting a joint investigation with our exchange partners, particularly Binance, and we have determined there have been no breaches of 3Commas' account security and API encryption systems, or the account security and API encryption systems of our partner exchanges. 

Bad actors obtained the exchange API keys of some crypto traders using a variety of phishing methods and also potentially compromised the security of users’ personal computers via malware and browser extensions to access their files storing their keys. Many of the victims were not 3Commas customers, and used some other trade automation service to attack the exchanges. The wide number of exchanges and trade automation services involved provides strong evidence that this is a sophisticated multi-month phishing attack executed by a criminal organization targeting individual crypto traders. 

As a solution to this, 3Commas is currently doing the following:

  • Developing a solution for even more secure key storage for our users
  • Working with exchanges to implement white-listing, which we’ve already done with OKX, Bybit, and Kucoin 

What you need to do if your accounts have not been affected:

  • Users should refresh their API keys for every exchange and use Fast Connect where available, like that offered by Binance
  • Enable 2FA for every exchange and service you use
  • Change all your passwords
  • Make sure you’re typing in the URL of every site you’re interacting with

What you need to do if your believe there have been unauthorized trades on your exchange account: 

  • Delete your API keys
  • Change your passwords
  • Contact support for that exchange

You can find additional details in our Post Mortem, which we will be updating with more information about who was affected and how. 

FAQ for 3Commas Traders 

Is 3Commas in danger due to Alameda Research failing? 

NO. We are well funded and what is happening in the market will not impact us or the company immediately. Alameda Research was one of our early investors and we already have the funding in accounts that can’t be withdrawn by Alameda. They had a minority equity stake, so 3Commas has no ownership or funding crisis due to their collapse. We want to issue the Alameda shares to new investors but we are still waiting for a response from Alameda. We have been trying to reach them but no response so far.

Has 3Commas leaked APIs?

NO. This is a completely baseless accusation being floated by individuals on social media who don’t understand how API key encryption actually works. It’s far more complicated than getting a manager’s password and stealing a bunch of credit card data from the poorly secured system of a large retailer or credit reporting agency.

Can you give an example of the fake sites used by the phishers?

There are still several phishing websites that are trying to copy our website and mislead them into sharing their API keys. We have raised the Google team on and are working with them to take these sites down. Here is a list of some examples of site URLs the phishers used between July and Nov 2022.

FTX - What 3Commas traders need to know

FTX situation - 3Commas response

How recent events with FTX impact 3Commas traders:

We feel your pain. Let's start with that. This situation with FTX is a stressful event for a lot of 3Commas traders.

We’ve received requests from users asking us if there’s anything we can do to assist them and, unfortunately, the answer is no. 3Commas is an SaaS trading platform that has no technical ability to initiate withdrawals or deposits, and thus no custody or access to customer funds kept on exchanges. 

What we have done is stop any registration of new FTX API keys for 3Commas users. On the FTX main site, they advise users to not deposit funds, and withdrawals may not be processed. Your bots can technically work, but due to the various ongoing issues on FTX with liquidity, etc., they may not function properly. You’ll need to monitor your open positions directly on FTX. 

That’s all we can say about FTX, as we don’t have any special insight into their situation or ability to intervene on behalf of our customers. 

The second thing I want to do is dispel any misconceptions about 3Commas and our ability to continue operations. 3Commas is fully funded and the bots and trading services for our 100,000+ traders are working as normal on every other exchange we’re partnered with. As you may know, the owner of FTX is also the owner of Alameda Research, one of the investors in 3Commas. Alameda Research was one of several investors in our Series B funding round, but they were not the only investor. It was a straight cash for equity deal, and there is no risk of withdrawal by the investors. 

Simply put, 3Commas is an independent company with strong financials and our operations and ability to service our customers are not impacted by the current situation FTX is facing. We will continue monitoring the situation and provide updates when relevant information becomes available to us.

Our goal remains the same as always: to meet the needs of every crypto investor by providing industry-leading services and professional-grade tools. We hope that every FTX user gains access to their funds. 3Commas will keep building the best platform possible to help you achieve financial freedom.

Yuriy Sorokin

CEO, 3Commas

October 19th Phishing Attack Post Mortem

Bot trading security has hardened since the 2023 phishing wave.

Details on the phishing attack that began to affect exchanges on October 19th:

Incident Summary

On October 20th, 3Commas was alerted to unauthorized trading activity on multiple exchanges. A third party executed an attack on exchanges by utilizing crypto exchange API keys stolen from a few users in a phishing attack. The bad actor conducted trades for the DMG, MTA and MATH cryptocurrency tokens using automatization engines, including the 3Commas platform. There were no breaches of the account security and API encryption systems of 3Commas or our partner exchanges. Scammers created a fake website resembling the automatization engines' interfaces and lured a few customers into re-entering API keys. Those API keys were subsequently used as part of the attack on the exchanges. Ten 3Commas users have given us sufficient information to confirm their losses are related to the phishing attack. Overall, less than 0.025% out of our customer base of over 100,000 active traders.

The end result of this attack was a claimed loss of user funds totaling around $6M across all exchanges.

3Commas was chosen as the target platform to execute this attack because we are the most popular automated trading platform with the most advanced trading tools. With this kind of attention attracting ever more sophisticated attacks, we’ve become much more focused on working together with our exchange partners, such as OKX and Binance, to mutually reinforce security and proactively cut off the vectors that phishers have been using.

Background

Over $1B worth of crypto was stolen in 2021 due to scams and phishing attacks. Every major exchange has seen user funds compromised by phishing attacks at some point. Phishing attacks are the leading cause of stolen funds in the crypto industry because they don’t require a talented and knowledgeable hacker to identify and exploit a vulnerability in a security system while going up against InfoSec pros who are actively creating countermeasures against intrusions.

They merely require a cunning scammer to trick users into giving up their account access, private keys, or wallet details through some means. The most typical phishing scam, which was the case with the one under discussion today, involves impersonating a legitimate company via email or other means and getting the user to click on a cloned website that closely resembles the interface the user is familiar with but with a slightly different URL. The user enters their log-in details, and then significant stress and pain are experienced by that user and the legitimate service they’re trying to interact with. 

Leadup

  1. Bad actors obtained the API keys of small amount of users via cloned websites impersonating 3Commas and other crypto services where the phishing sites requested users re-enter their API keys for exchanges that included Binance, OKX, Kraken, Kucoin, FTX, etc. Users who manually entered an API key on the phishing websites had their accounts compromised. 
  2. Beginning on October 20th, the bad actor then used multiple accounts to initiate around 20,000 trades via the 3Commas API connection to those exchanges, and began dumping valuable coins and then using the deposit to buy DMG (8500 trades), MTA (1000 trades), MATH (9000 trades) and a few other cryptocurrencies in order to steal funds. 

Short-term Response

1. The abnormal activity triggered alerts for the 3Commas security team and the security teams of our partner exchanges, who then collaborated to identify and shut down the sources by terminating the API connections. 

2. During the subsequent investigation, the 3Commas team identified multiple cloned websites with slight variations of the 3Commas URL. We reported the sites to the web-services companies they were hosted on and worked to take them down.
3. 3Commas posted a security update notifying users of the attack and providing them with methods of ensuring their accounts are secure, including a strong warning to verify all IP addresses before entering any secure information. 

4. As a precaution, at the request of FTX, 3Commas will not accept connections to any new FTX accounts using API keys or secrets directly: instead, connections through Oauth (through which keys cannot be phished by fake sites) will be supported.  

5. FTX agreed to a one-time compensation of their funds lost in this attack. 

6. 3Commas is preparing much more stringent anti-phishing protocols and IP monitoring to detect and report 3rd party sites that attempt to impersonate 3Commas.

Long-term Response

Recently the Gate.io Twitter account was hacked, and the bad actors sent out phishing links to Gate.io followers. It was a stark lesson in the commitment of bad actors to be creative in obtaining user credentials to access funds and keys.

We commend Gate.io on their transparency, and we endeavor to be completely open with our users. They created a link verification tool and a list of official URLs for users to check any link against. It’s an interesting solution and we will consider it at some point in the future. 

A big ongoing initiative that 3Commas leadership began working on months before this recent attack is to encourage our partner exchanges to eliminate manual API key entry and the vulnerabilities it causes in favor of Fast Connect systems using the 0Auth 2.0 protocol. It greatly simplifies the user authentication and API request process, while simultaneously making it far more secure. 



Another initiative is that we’d like to establish better communications with our partner exchanges, and crypto traders in general when we see the precursor moves of an incoming attack. Take a look at the 30-day chart for DMG.

Automate your spot trading strategy

3Commas' DCA bot buys automatically at your set intervals — no need to time the market manually.

Tricksy Crypto Phishers - 3Commas Week 43 Digest

Market Overview

Nothing super interesting happened last week. SOL took a 7.36% dip, but no significant dynamic movements elsewhere in the top 20. If you had a Grid Bot set up for ETH last week, you were probably happy with the results. Bear markets are a grind, ladies and gentlemen, and Grid Bot is designed to let you make profits off those minor bounces between support and resistance that drive HODLers crazy. As you’ll see below, 3Commas has added some new functionality to our Grid Bot that should help you show more green than red.

New Releases

New Grid Bot dropping this week with some sweet features. There will be a blog with the full description, so keep an eye out for it when we announce it in Telegram/Twitter/Discord, etc. 

What’s new with Grid Bot:

  • Default settings in asymmetric grids should now result in better PNL ratios when the markets fall. 
  • Grid Bot will now build more effective grids when you add more funding by increasing the number of levels. 
  • You can now rename live Grid bots, rather than needing to stop them first. 
  • “Required balances” widget will now show available funds of both currencies in the selected pair in the quote currency equivalent. 

Binance Spot Exchange is now available for Turkey!

Traders will have full access to seek profits using SmartTrade, Terminal, DCA Bot, Grid Bot, and HODL Bot. No options or futures at this time.

Food for Thought

PROTECT YOUR API KEYS AND LOGIN PASSWORDS

There has been a new phishing attack with 10 confirmed victims since October 20th across three separate exchanges. This phishing attack works by scammers creating websites that impersonate the 3Commas interface. We are working directly with our exchange partners and the affected users to provide assistance and resolve this issue. 

There has been no breach of the account security or API encryption systems of either 3Commas or those of our partners. It was a phishing attack where users were tricked into giving up their API keys.

It’s holiday season, ladies and gentlemen, and every company in the crypto space will be doing promos, discounts, giveaways, etc. Scammers are going to do their best to intercept as many people as possible with fake sites so they can capture your passwords, API keys, and wallet keys.

Be on guard and check those website URLs before you start punching in your information for those deals that seem too good to be true. Check to make sure they haven't done common substitutions in the URL like the number "0" for the letter "o" or "n" for "m."

We have full details about the phishing attack and what steps you can do to ensure your accounts stay secure.

3Commas Security Update

We'll be dropping a post-mortem blog about the full details and the work we've been doing with our partner exchanges to better protect our users.

3Commas Security Update

A quick summary of a potential new phishing scheme targeting crypto traders

Security Alert for 3Commas Users

23 October. 16:00 GMT Update

Dear 3Commas community, I have a quick update as more information has come in over the course of this weekend.

On the 20th of October, the 3Commas team was alerted to an unauthorized trading incident involving the use of a partner exchange’s API keys stolen from 3Commas users. The theft occurred outside of the 3Commas system, via a phishing attack conducted on inauthentic websites mocked up to resemble the 3Commas interface. There have been no breaches of either 3Commas' account security and API encryption systems, nor the account security and API encryption systems of our partner exchanges. 

Only three users claim to have been affected at this time. There are a number of individuals on social media channels claiming to be victims of this phishing attack who we have verified are not 3Commas customers. They are making claims that are factually inaccurate and confusing to users.

3Commas, in cooperation with our partner exchanges, is conducting an investigation of this incident to ensure our user community remains protected and feels safe to trade. We are working directly with the three individuals who claim to have been affected so that we can ascertain more details regarding how they stored their API keys and other sensitive data. 

I'd like to reiterate that phishing attacks are heavily prevalent anywhere transfers or trades of currencies happen. While 3Commas is doing everything possible to support our users, and our systems remain secure, I'm urging you to review the account security protocols outlined at the bottom of this post so that you can significantly reduce your odds of falling victim to these predators.

Here are the facts as of October 23, 2022 at 16:00 GMT

  • There have been no breaches of 3Commas' or any partner exchange’s account security databases, and no encryption protocols have been compromised. 
  • No API keys have been leaked from 3Commas or partner exchanges. 
  • The API keys used in this attack came from phishing attacks utilizing websites that replicated the 3Commas interface and captured users’ API keys when they attempted to connect their exchange accounts. 
  • These stolen API keys were used to place unauthorized trades using DMG cryptocurrency trading pairs on a partner exchange. 
  • 3Commas has cooperated with partner exchanges to identify accounts with suspicious activity and disabled API keys that may have been compromised from the user’s side. 
  • There are three 3Commas users who claim to have been affected by this situation. We are in contact with them to provide support and discover exactly how their API keys were stolen. 

If you believe you may have been a victim of this phishing scheme, 3Commas is ready to help you with all the tools at our disposal. Please reach out to our support team support@3commas.io and also follow the steps outlined at the bottom of this post to renew your API keys with your exchanges and change your passwords.

21 October. 16:00 GMT

Dear 3Commas Community,

On the 20th of October, the 3Commas team was alerted to an incident that occurred where a number of partner exchange API keys connected to 3Commas and used to perform unauthorized trades for DMG cryptocurrency trading pairs on partner exchange accounts.

As further information has come in, 3Commas has been informed that traders who have never used 3Commas were also affected by what appears to be a 3rd party phishing or hacking attack of some kind.

During a collaborative investigation conducted by 3Commas and our partner exchanges, a number of API keys were found to be linked to new 3Commas accounts that were created and used for the first time to perform unauthorized trades for the DMG trading pairs on the partner exchange. The API keys were not taken from 3Commas but from outside of the 3Commas platform.

Our team widened the investigation and found several fake 3Commas websites that were used to "phish" 3Commas users by replicating the design of the 3Commas web interface and captured API keys from 3Commas users that had accidentally used the fake website to try and connect their exchange accounts.

The API keys were then stored by the fake website and later used to place the unauthorized trades on the DMG trading pairs on the partner exchange.

Due to the scale and sophistication of the attack we also suspect that 3rd party browser extensions or malware may also have been used.

As a precaution, the partner exchange and 3Commas have identified accounts that had possible suspicious activity and disabled the API keys which may have been compromised.


If you have an exchange account connected to 3Commas and it is saying the API is "invalid" or "requires updating", then it is possible your API details were compromised and the API key has been deleted by the partner exchange. We urge you to create new API keys on that exchange and update your linked exchange accounts in 3Commas using the guide below to ensure any trades or deals you have active will be unaffected.

Update API Keys

A comprehensive step-by-step action guide to updating API Keys on 3Commas

Weekly Digest - New DCA Deal Start Conditions

Tips for setting up better DCA bots, a video of our September update, and new information about our contest with Huobi

Market Overview

Another bear week without a lot to report. Cardano and XRP both took a little plunge, but that was the only significant movement in the top 20 outside of LEO boosting up 10% before hitting a plateau.

For something intriguing outside the top 20, Cronos (CRO) has been exhibiting behavior that might make it a good candidate for a Grid Bot.

Something funny happened with BTC and ETH this week, but it's not so uncommon due to both of these coins being so foundational to the overall crypto trading market. While they often follow very similar price charting, this week they almost looked like mirrors.

Put your trading plan into action with 3Commas

Automate your strategy with DCA and GRID bots. Backtest before going live. Start for free.