Cyber Incident Victim: 3Commas
Date:
Oct 2022
Location:
Estonia
Summary
A third party unauthorizedly disclosed API keys, secrets, and passphrases from the company's database, potentially enabling unauthorized trades through connected exchange accounts. The firm confirmed the breach after a hacker's online post, initiated exchanges to revoke affected keys, and recommended users reissue their API credentials. Internal investigations found no evidence of compromised systems, code breaches, or employee involvement despite hacker allegations of insider data sales. Previously attributing incidents to phishing or malware, the organization enhanced security protocols by implementing a Sign Center to further restrict API access while maintaining normal operations under heightened alert. Law enforcement was engaged to investigate the perpetrators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 28, 2022, a post appeared on Pastebin from an individual claiming to have accessed API data stored in 3Commas’ database, which was later removed. 3Commas became aware of the breach through this public post alongside its user community. The company confirmed that unauthorized third parties had disclosed some users’ API data, including keys, secrets, and passphrases. This disclosure created a risk that attackers could link exchange accounts to unauthorized profiles or execute trades without consent. While the investigation indicated only API data was compromised, 3Commas immediately requested Binance, KuCoin, and other integrated exchanges to revoke all keys linked to its platform. Users were strongly advised to reissue any API keys connected to exchanges and directed to a support guide for assistance. The company acknowledged the hacker’s allegation that an employee sold user data but stated internal reviews found no evidence implicating staff or confirming system breaches. Prior communications had suggested phishing or malware as likely causes, but subsequent analysis revealed no compromised code, server vulnerabilities, or malicious insider activity.
3Commas engaged law enforcement to investigate the breach’s origins and urged affected users to contact Estonian authorities or local police to aid perpetrator identification. The company emphasized operational continuity while maintaining heightened security vigilance. As part of ongoing security enhancements, 3Commas had already deployed a new Sign Center on November 16, 2022, in response to earlier October exchange account attacks, further restricting API key access. Plans were announced to publish detailed technical documentation explaining this system. Support channels, including a dedicated email address, remained available for user inquiries. CEO Yuriy Sorokin expressed regret over the incident and committed to transparent updates as investigations progressed, though no conclusive findings regarding the attackers’ methods or identities had been disclosed at the time of the notice.