Users of automated crypto bot trading service 3Commas are seeking legal action against the platform after losing millions of dollars in unauthorized trades.
On Tuesday, on-chain analyst ZachXBT said he had verified a group of 44 victims that had a collective amount of $14.8 million stolen from their accounts on centralized exchanges.
The users alleged that their API keys tied to their accounts on the exchange, which they used to connect with 3Commas’ infrastructure, had been compromised as a result of a leak on 3Commas’ end.
2/3 Users have made complaints across different exchanges. It’s clear this is not phishing and api keys were stolen.
3Commas and their founder have chosen to blame its users. Delete the api keys if you haven’t already and stop using 3commas.
— ZachXBT (@zachxbt) December 20, 2022
“A group is currently organizing a class action lawsuit so if you’ve been effected [sic] please leave a comment below,” tweeted ZachXBT.
3Commas denied the allegations that there had been any sort of API leak on their platform, saying that victims should file a police report so that the exchanges where they lost their funds could be investigated instead.
Over the last few weeks, a number of crypto traders claimed to have lost a significant amount of funds through an API-related exploit on their exchange accounts. Some users also claimed to have found evidence that 3Commas API keys were exposed – something that 3Commas CEO Yuriy Sorokin denied in a blog post that called the information “falsified.”
We seen at least 3 cases of users who shared their API key with 3rd party platforms (Skyrex and 3commas), and seen unexpected trading on their accounts. If you used such a platform before, I highly recommend you to delete your API keys just to be safe. 🙏
— CZ 🔶 Binance (@cz_binance) November 14, 2022
In a recent email to customers, crypto exchange Binance said it would be deleting inactive API keys older than 30 days that have not been restricted to trusted IP addresses as a safety measure.