October 19th Phishing Attack Post Mortem

Details on the phishing attack that began to affect exchanges on October 19th:

Incident Summary

On October 20th, 3Commas was alerted to unauthorized trading activity on multiple exchanges. A third party executed an attack on exchanges by utilizing crypto exchange API keys stolen from a few users in a phishing attack. The bad actor conducted trades for the DMG, MTA and MATH cryptocurrency tokens using automatization engines, including the 3Commas platform. There were no breaches of the account security and API encryption systems of 3Commas or our partner exchanges. Scammers created a fake website resembling the automatization engines' interfaces and lured a few customers into re-entering API keys. Those API keys were subsequently used as part of the attack on the exchanges. Ten 3Commas users have given us sufficient information to confirm their losses are related to the phishing attack. Overall, less than 0.025% out of our customer base of over 100,000 active traders.

The end result of this attack was a claimed loss of user funds totaling around $6M across all exchanges.

3Commas was chosen as the target platform to execute this attack because we are the most popular automated trading platform with the most advanced trading tools. With this kind of attention attracting ever more sophisticated attacks, we’ve become much more focused on working together with our exchange partners, such as OKX and Binance, to mutually reinforce security and proactively cut off the vectors that phishers have been using.

Background

Over $1B worth of crypto was stolen in 2021 due to scams and phishing attacks. Every major exchange has seen user funds compromised by phishing attacks at some point. Phishing attacks are the leading cause of stolen funds in the crypto industry because they don’t require a talented and knowledgeable hacker to identify and exploit a vulnerability in a security system while going up against InfoSec pros who are actively creating countermeasures against intrusions.

They merely require a cunning scammer to trick users into giving up their account access, private keys, or wallet details through some means. The most typical phishing scam, which was the case with the one under discussion today, involves impersonating a legitimate company via email or other means and getting the user to click on a cloned website that closely resembles the interface the user is familiar with but with a slightly different URL. The user enters their log-in details, and then significant stress and pain are experienced by that user and the legitimate service they’re trying to interact with. 

Leadup

1. Bad actors obtained the API keys of small amount of users via cloned websites impersonating 3Commas and other crypto services where the phishing sites requested users re-enter their API keys for exchanges that included Binance, OKX, Kraken, Kucoin, FTX, etc. Users who manually entered an API key on the phishing websites had their accounts compromised. 
2. Beginning on October 20th, the bad actor then used multiple accounts to initiate around 20,000 trades via the 3Commas API connection to those exchanges, and began dumping valuable coins and then using the deposit to buy DMG (8500 trades), MTA (1000 trades), MATH (9000 trades) and a few other cryptocurrencies in order to steal funds. 

Short-term Response

1. The abnormal activity triggered alerts for the 3Commas security team and the security teams of our partner exchanges, who then collaborated to identify and shut down the sources by terminating the API connections. 

2. During the subsequent investigation, the 3Commas team identified multiple cloned websites with slight variations of the 3Commas URL. We reported the sites to the web-services companies they were hosted on and worked to take them down.
3. 3Commas posted a security update notifying users of the attack and providing them with methods of ensuring their accounts are secure, including a strong warning to verify all IP addresses before entering any secure information. 

4. As a precaution, at the request of FTX, 3Commas will not accept connections to any new FTX accounts using API keys or secrets directly: instead, connections through Oauth (through which keys cannot be phished by fake sites) will be supported.  

5. FTX agreed to a one-time compensation of their funds lost in this attack. 

6. 3Commas is preparing much more stringent anti-phishing protocols and IP monitoring to detect and report 3rd party sites that attempt to impersonate 3Commas.

Long-term Response

Recently the Gate.io Twitter account was hacked, and the bad actors sent out phishing links to Gate.io followers. It was a stark lesson in the commitment of bad actors to be creative in obtaining user credentials to access funds and keys.

We commend Gate.io on their transparency, and we endeavor to be completely open with our users. They created a link verification tool and a list of official URLs for users to check any link against. It’s an interesting solution and we will consider it at some point in the future. 

A big ongoing initiative that 3Commas leadership began working on months before this recent attack is to encourage our partner exchanges to eliminate manual API key entry and the vulnerabilities it causes in favor of Fast Connect systems using the 0Auth 2.0 protocol. It greatly simplifies the user authentication and API request process, while simultaneously making it far more secure. 

Another initiative is that we’d like to establish better communications with our partner exchanges, and crypto traders in general when we see the precursor moves of an incoming attack. Take a look at the 30-day chart for DMG.

You’ll notice that before October 10th, this token was flatlined. Then on the 10th and 17th, new life was breathed into it, with a high probability the buyers were the initiators of the phishing attack. Then, two days later, the attacks began, and massive buy orders for inflated prices were sent out using stolen API keys.

We’re not calling for regulation but rather for communication. Whenever an individual or company notices this activity on a dormant token, we hope they have the integrity to contact exchanges and trading services to warn them of the suspicious activity. This would give everyone involved a chance to stop the attack before it happens and leave the scammers with a big red bag. 

Yuriy Sorokin

CEO

3Commas