Phishing attacks targeted at FTX users have resulted in the loss of over $6 million worth of crypto from several accounts.
On Oct. 23, a security alert from automated crypto trading bot service 3Commas informed users that a phishing attack had compromised users’ API keys on one of their partner exchanges.
The partner exchange in question presumably referred to crypto exchange FTX, according to several reports from affected users who claimed they lost millions of dollars over the weekend.
“The theft occurred outside of the 3Commas system, via what was likely a phishing attack conducted on inauthentic websites mocked up to resemble the 3Commas interface,” wrote 3Commas.
An incident analysis found that the hackers used the stolen API keys to make several unauthorized trades on low liquidity pairs like DMG/USD, MER/USD and PORT/USD on FTX.
Blockchain reporter Colin Wu summarized an account of four separate users who fell victim to the exploit between Oct. 18 and Oct. 21, some of whom claim to have lost over $1.5 million.
Another user reported a loss of 104 BTC, worth over $2 million at the time of writing, despite never having used the 3Commas service to set up a trading bot. The user also claimed that his devices were secured by anti-virus software designed to detect scams of this nature and that FTX had been unresponsive when he attempted to contact them on the matter.
FTX CEO Sam Bankman-Fried addressed the situation in a series of tweets on Sunday.
“We’ve mostly stamped out sites that try to phish users by masquerading as FTX. But we can’t fix fake sites impersonating *other* services. A few users accidentally registered at fake other sites, including 3 Commas,” wrote Bankman-Fried on Twitter.
He went on to note that since users unknowingly provided their FTX API keys to bad actors impersonating a third party site, there was little FTX could do to make the victims whole. However, in this particular instance, Bankman-Fried said that FTX would compensate those affected by the scam, noting that it was a “one-time thing” and that FTX would not reimburse such losses going forward.
“We will not making a habit of compensating for users getting phished by fake versions of other companies [sic],” said the FTX CEO.
By his estimates, the amount stolen from FTX users roughly totalled $6 million, for which FTX users will be compensated.
Bankman-Fried also proposed absolving the attackers from further action if they sent back 95% of the funds acquired from the scam.