The cryptocurrency robot trading service 3Commas was hacked today. The anonymous hacker has sent 10,000 sets of user account passwords to Twitter, and the remaining 90,000 sets will be announced one after another. Any cryptocurrency exchange users who use the API provided by 3Commas should immediately disable it.
Anonymous hackers invaded the 3Commas server and obtained a total of 100,000 sets of API login service keys. The scope of damage far exceeds 3Commas itself, because including Binance, KuCoin and other exchanges that support robot trading services, assets may be stolen.
“After we confirmed the news, we immediately contacted platforms such as Binance and KuCoin to ask them to remove the relevant API permissions.” 3Commas CEO Yuriy Sorokin said that the current hacker outflow data is correct user information, and they are taking relevant measures to stop the bleeding.
Binance CEO Changpeng Zhao also tweeted immediately, calling on all users who have used API access to 3Commas to stop immediately to prevent the crisis from expanding.
3Commas is a robot trading service designed based on the concept of quantitative trading. Users need to have basic programming concepts. After setting the parameters, the robot can monitor the market 24 hours and automatically trade. Since its establishment in 2017, 3Commas has more than 220,000 users, a transaction volume of more than 10 million US dollars, and has cooperated with 18 well-known exchanges.
In order for the robot to automatically complete the transaction, it is necessary to let the computer log in instead of the user. Therefore, the user needs to store the account number and password in the server, and let 3Comaas and the exchange complete the security authentication through the API, and then the transaction can be carried out. Ironically, 3Commas scored a perfect score of 100 on website security review website scamadviser, a score that most websites cannot achieve.
In addition, since October, 3Commas users have reported that they have encountered unknown asset losses. Officials believe that they should be deceived by phishing websites, so they have not been compensated. But now the evidence shows that the problem comes from the platform itself, not to mention the amount of subsequent losses. The previous losses reported by users were as high as 6 million US dollars, and the losses have doubled in the last two weeks.
At present, the official has not provided any further information, only that it will take comprehensive action and cooperate with the judicial authorities in the investigation to try to find the murderer.