Fake screenshots are being circulated claiming employees stole API keys

DATE PUBLISHED: DEC 11, 2022
7 MIN
DATE UPDATED: DEC 11, 2022

Bad faith actors are making accusations using falsified evidence

In the latest edition to this saga of API keys and attacks on exchanges, we’re now seeing individuals on Twitter and YouTube circulating fake screenshots of Cloudflare logs in an attempt to convince people  that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files. Specifically, this tweet from the 10th of December claims 3Commas employees are stealing API keys.

The person who created the screenshots did a nice job with an HTML editor, but they made a few key mistakes that easily prove their claims are fake. We’ll go through those point by point.

You can also refer to our December 10th article where we broke down all the details we can make public about our investigation into any potential breach of 3Commas systems, and what we know about the attacks on our exchange partners.

Background

  • The images shown in the twitter post attachment and on pages 10-12 of the report are allegedly screenshots of the "Instant logs" page of a Cloudflare dashboard
  • “Instant logs” feature is a tool that provides you with online logs from your website (https://developers.cloudflare.com/logs/instant-logs/)
  • The “Instant logs” feature feature allows a user to monitor the logs for 60 minutes and then will be disabled and needs to be relaunched to see the logs again 
  • This “Instant logs” feature is activated in a Cloudflare dashboard web interface which has Audit Logs
  • Audit Logs keeps data for the past 18 months

Proof #1

On these alleged screenshots the date of the logs is November 2nd, 2022. We know for sure, and have confirmed this with Cloudflare customer support after checking the logs, that there were no events of activating “Instant logs” over the past 12 months. The first time the feature activation logs appear is November 22, 2022 - this is when a youtube video with the same fake screenshots was published and our team checked and discovered it was all fake. In other words, none of our employees with access to Cloudflare nor anyone else could have activated the feature. There is also no technical possibility to delete the logs showing an activation of the “Instant logs” tool in Cloudflare. Conclusion: the screenshot is fake.

Proof #2

All the important spots (Cloudflare account ID) which could prove the screenshot was taken from the 3Commas Cloudflare dashboard have been blurred out. The left navigation menu does not match the real menu from our Cloudflare account. Even the account name does not match. 3Commas is using the enterprise version of Cloudflare, which means certain features like Edge Reachabilty and Logs are available by default. The fake masters likely did not know this, and they made the screenshots without these features in the left menu. Conclusion: the screenshot is fake.

Proof #3

The bad actor claims the screenshots of the “Instant logs” were taken on November 2, 2022. They show all the logs are POST while in real life you would never have this exact sequence nor could you have POST logs only. It is always a mix of different types and methods. One could claim it was filtered. But we can also see that  the filters have not been applied. So this is another one of those parts which was altered through the HTML editor to make it look like an original. Conclusion: the screenshot is fake.

Proof #4

And last but not least, the bad actors have total inconsistency even in their own so-called “report”. Firstly, they claim the “types_to_connect” request method was GET and as “solid proof”, they post a screenshot claiming the same request was actually the POST method on November 2, 2022. While the reality is that on November 2, 2022 this method was GET and there is zero chance that in the “Instant logs” it would show up as POST. Conclusion: the screenshot is fake.

As an overall conclusion, we see that the bad actors have put a lot of effort into creating these fake images. This is an unprecedented information attack. But it would be nonsense to take any “security reports” that rely on such kind of “proof” seriously.

We've been providing tools for traders since 2017, and we've seen almost everything at this point. Many of the 120,000+ active traders in our community have as well.

We're not asking you to place blind trust in 3Commas. We are asking you to critically evaluate the information we're providing and compare it to the accusations and fake evidence being circulated by people on Twitter, YouTube, and other platforms. We're being transparent, and they're looking to light a match and hope they can start a fire.