Binance came to the fore with a hack attack that targeted the trading bots of the crypto trading platform 3Commas. This vulnerability was known before and the CEO mentioned it at CZ. It currently has $450,000 worth of altcoin losses.
Binance still vulnerable to 3Commas API vulnerability: This altcoin was stolen
Trading bot 3Commas, whose users are integrated with various exchanges, causes more money loss after third-party applications leak API keys. According to statements by Rodion Longa, founder of the Worldpokerdeals portal, a number of Binance users have saved their money due to a well-known vulnerability of the 3Commas trading bot API tools. Allegedly, $450,000 worth of BUSD is currently missing.
@cz_binance @BinanceRussian My account was just exploited using 3commas API leak similar to this case https://t.co/89TvsiV3H9
Please help. 450k busd lost
— Rodion Longa (@LongaRodion) December 9, 2022
Binance CEO warned
cryptocoin.com As we reported, CZ warned users in November to delete unused API keys. He also asked them to be careful when using Skyrex and 3Commas. In the same period, 3Commas stated that they are also fighting phishing attacks that affect users of other exchanges. In particular, users of the now bankrupt FTX exchange lost more than $6 million due to phishing attacks. But the stock market made up for them.
Binance claims this is not phishing attacks and API key leak by 3Commas. However, Yuriy Sorokin, the founder of 3Commas, suggested that these were phishing attacks that could hit anyone, including Binance.
We seen at least 3 cases of users who shared their API key with 3rd party platforms (Skyrex and 3commas), and seen unexpected trading on their accounts. If you used such a platform before, I highly recommend you to delete your API keys just to be safe. 🙏
— CZ 🔶 Binance (@cz_binance) November 14, 2022
In new developments, “Longa”, who said that he has not used the 3Commas trading bot API for the last 11 months, underlined that this will not be a phishing attack. Similar complaints like this keep popping up. Twitter’s @coinmamba stated that he only tied his API to 3Commas services and forgot about that too. Coinmamba then immediately reported the issue to the Binance (BNB) team. He asked the exchange to recoup his money.
Although user CoinMamba itself was blamed for not deleting their API keys, the companies’ reaction was also unimpressive. Binance has since restricted CoinMamba’s account to a withdrawal-only mode, citing the user’s threat to Binance’s customer service.
Yeap, @cz_binance just closed my Binance account because of my tweets. Not sure what to say. This is unacceptable and I’m sure most of you will agree with me on this..
— CoinMamba (@coinmamba) December 9, 2022
Binance (BNB) restricts operations of affected users
The last CZ from CoinMamba’s site above responded to the user on Twitter. He said his case could not be eligible for Binance’s SAFU compensation program. He stated that this could be abused later:
Mamba has almost no way we can make sure users don’t steal their API keys. The trades were made using the API keys you generated. Otherwise, we will only be paying users to lose their API keys. I hope you understand.
Mamba, there is almost no way for us to be sure users didn’t steal their own API keys. The trades were done using API keys you created. Otherwise we will just be paying for users to lose their API keys. Hope you understand.
— CZ 🔶 Binance (@cz_binance) December 9, 2022
CZ also stated that they have internally agreed to block 3Commas’s access if it doesn’t stop the API key from leaking. Binance’s recommendation to block access to 3Commas could prevent further losses. But users need to be more careful about API keys. Be extra careful with any third-party apps you allow to interact with your trades.
