3Commas API Dispute Highlights Risks of Algorithmic Trading

Despite the bear market, cryptocurrency day traders still see opportunities to strike it rich. Many seek out an edge by employing algorithmic trading bots that automatically execute trades at a moment’s notice.

There are risks in letting code make snap decisions, however. A group of investors organizing on Telegram say that they have been the victims of hackers that compromised the Application Programming Interface (API) of the automated trading platform 3Commas to the tune of $22 million.

In a series of tweets, pseudonymous Internet Sleuth @ZachXBT claims dozens of users have reported that thieves siphoned funds away through unauthorized trades on their centralized exchange accounts because of the 3Commas API.

“3Commas blames it on phishing but I now have verified a group of 44 victims who’ve had $14.8m in total stolen,” ZachXBT tweeted.

In a Google Docs document shared in the Telegram group and viewed by Decrypt, members say the exchanges where the unauthorized transactions occurred include Binance, Coinbase Pro, and KuCoin.

“Users have made complaints across different exchanges, ZachXBT wrote. It’s clear this is not phishing and API keys were stolen.

What is an API?

An API is a set of rules that define how two software programsin this case, a trader’s portfolio or wallet and a cryptocurrency exchangeshould communicate. APIs are used for various reasons, providing a way for developers to access multiple services and data, and enabling users to interact with different applications through a single user interface.

What is algorithmic trading?

Algorithmic trading uses computer programs, including APIs, to execute trades in financial markets. These programs, also known as trading bots, are designed to analyze market conditions and execute trades triggered by predefined parameters.

One advantage of algorithmic trading is that it allows traders to execute trades quickly without human interaction. Trading bots can be especially useful in fast-moving global markets like cryptocurrency, where manual trading may not be possible.

While algorithmic trading bots can help traders looking for an edge, their use also carries risks, such as potential errors or malfunctions in the algorithm or compromised access to their settings.

An earlier 3Commas scam

In October 2022, then-FTX CEO Sam Bankman-Fried paid out $6 million to FTX traders who were victims of a multimillion-dollar scam that hit FTX users through compromised 3Commas APIs.

Bankman-Fried tweeted that he was prepared to remunerate FTX users affected by an exploit in which attackers used 3Commas’ API to make trades on the exchange, but warned that the action should not be considered a precedent or company policy.

3Commas says the theft of user funds was due to a phishing attack, not their software, and called the claims of API leaks or exploitsthen and nowfake and spread by bad actors.

In a series of blog posts posted to the 3Commas website, co-founder Yuriy Sorokin has repeatedly addressed the claims against the platform.

“In the latest edition to this saga of API keys and attacks on exchanges, we’re now seeing individuals on Twitter and YouTube circulating fake screenshots of Cloudflare logs in an attempt to convince people that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files,” Sorokin wrote, pointing to a December 10, 2022 tweet that he says claims 3Commas employees are stealing API keys.

The investigation continues

In an email response to Decrypt, 3Commas asserted that “there are no API leaks or exposure of our database,” and said that it is working with Google to take down phishing websites trying to copy its platform, which could trick customers into submitting their API keys.

3Commas also wrote that they are working with Binance in “investigating the root cause” and said its own team is “finding a permanent solution to fix the API issue.” The company did not respond to a request from Decrypt to explain the API issue that required fixing.

Excluding actions by insiders, how would an attacker know who to attackvia phishing or otherwiseand when?

“Normally, my answer would be it depends, David Schwed, COO of Web3 security firm Halborn, told Decrypt.

“If an attacker was able to inspect network traffic, they’d be able to obtain some information as to who was making API calls based on either the URL or the originating IP address,” Schwed said. “However, in this case, the users of the API were much simpler to ascertain.”

“In the developer section of 3commas.io, they have an API chat link to a [Telegram] group with close to 1,000 members, he explained. Those members, I’d assume, are all API users.”

Edmondo “Mundy” Pena, a cybersecurity professional and algorithmic trader, tells Decrypt he had used 3Commas’ trading software since 2020 when he first heard about the platform. Around that same time, Pena says he launched his business, Crypto Trading Desk.

Pena says he has used 3Commas’ API on multiple portfolios for just under two years without issue. Pena says he first noticed problems with his trading account during the Thanksgiving holiday in November 2022.

“I had an API with trade-enabled access to my portfolio,” he said. “My greatest fear was realized on Thanksgiving morning when I started seeing 1000s of trade alerts happening on my portfolio.” Pena said he deleted the API before the thieves drained all of his funds.

Pena says he took to Google to research what happened to him and found that he was not the only one to experience what he did. Pena says he is working with others who say the same thing happened to them.

So far, Pena says he has had face-to-face interviews with nearly 60 individual users who report unauthorized transactions using 3Commas API.

He says that several of the people he spoke with have taken the step of going to law enforcement about the matter. Using his background in cybersecurity forensics, Pena says he was able to reverse engineer the attack on his account. He then took that information to contacts in the U.S. Secret Service.

In December 2022, a crypto trader who goes by CoinMamba took to Twitter to say that their Binance was compromised due to a leak of the 3Commas API key, which led them to lose funds.

The tweet led to several exchanges between CoinMamba and Binance CEO Changpeng “CZ” Zhao, which ended with CoinMamba’s Binance account being closed.

“The only common denominator here is 3Commas,” Pena said.

Though Pena is confident that there is an issue with 3Commas software, he did acknowledge that some of the problems stem from traders forgetting about and leaving APIs attached to their accounts.

“Most people forget,” he said. “Setting up APIs isn’t something that you do quite often. Most people have only ever had one API associated with their portfolio.”

Pena tells Decrypt that other affected traders are also looking at their legal options and are working with law enforcement.

Stay on top of crypto news, get daily updates in your inbox.