Explained: The 3Commas Breach (December 2022)

In December 2022, 3Commas, which operates crypto trading bots, experienced a data breach.  Compromised API keys allowed attackers to steal an estimated $20 million from users of the service.

Inside the Attack

3Commas helps users implement trading strategies via a network of managed trading bots.  As part of this service, 3Commas users link their account with the service to blockchain wallets on certain, supported exchanges.

In December 2022, an attacker revealed on Pastebin that they had gained access to the 3Commas database.  With this access, they were able to steal API keys used to perform transactions via various exchanges.

With the stolen API data, these attackers were able to link their own blockchain wallets to exchange accounts and perform trades on the user’s behalf.  As a result, an estimated $20 million in cryptocurrency was maliciously transferred from these exchange accounts to the attackers’ wallets.

Lessons Learned From the Attack

While the attacker alleged that the theft of API keys was an inside job, the exact mechanism of the attack has not been proven.  Since the incident, 3Commas claims to have taken additional steps to limit access to and protect the database.

The 3Commas hack underscores the truth of the saying “not your keys, not your crypto.”  Entrusting private keys — or access to an exchange account with control over a blockchain account — to a third party places blockchain users at risk of data breaches and lost funds.  For more information on protecting your blockchain account against attacks like this, check out our blog on crypto wallet security.