The FTX wash trading and theft incident, starting from the leak of the 3Commas API KEY

Author: Colin Wu, Wu Says Blockchain

Original Title: "New Hacking Technique: 3Commas API KEY Leak; Full Process Record of Coin Theft through FTX and Other Exchanges"

On the 21st, a user from Hangzhou reported to Wu Says that his FTX account suddenly conducted over 5,000 transactions on the night of the 19th, with account assets of 1.6 million USD nearly depleted, including over a dozen BTC, hundreds of ETH, and thousands of FTT, all stolen through trading the small coin DMG. The user started using the quantitative trading bot 3Commas a year ago, and since FTX's API does not require updates, he had never modified or saved the API.

FTX responded that someone with access to the API KEY completed the transactions through the REST API, possibly due to a leak of the user's API KEY. FTX stated that they need to receive a case notification to cooperate with related actions such as freezing accounts, but there has been no response after the user submitted the report receipt. 3Commas claimed that no leak had occurred.

It is worth noting that FTX customer service initially stated, "You are not the only one affected," but then FTX customer service ceased contact and claimed it was a misunderstanding.

The issue then shifted to 3Commas, which quickly responded after Wu Says' report, stating: "Currently, 3Commas considers this matter a top priority. We use 2FA and OTP for maximum security during login to ensure user accounts are always secure. We are in contact with users to ensure they receive all the support they need."

Subsequently, 3Commas issued a statement:

On October 20, the 3Commas team received an alert regarding an incident where some partner exchanges' API keys connected to 3Commas and were used for unauthorized trading of the DMG cryptocurrency pair on partner accounts.

In a collaborative investigation between 3Commas and our partner exchanges, it was found that many API KEYS were associated with new 3Commas accounts that were created for the first time and used for unauthorized trading of DMG on partner exchanges. The API keys were not obtained from 3Commas but were acquired externally.

We expanded the investigation and discovered several counterfeit 3Commas websites that "phished" 3Commas users by copying the design of the 3Commas web interface and capturing API keys from users who inadvertently attempted to connect their trading accounts through these fake sites.

The API keys were subsequently stored by the fake websites and used for unauthorized trading on partner exchanges' DMG pairs. Due to the scale and complexity of the attack, we also suspect that third-party browser extensions or malware may have been used. As a precaution, partner exchanges and 3Commas have identified accounts that may have suspicious activity and disabled potentially leaked API keys.

If you have an exchange account connected to 3Commas and it shows "invalid" or "needs updating" for the API, your API details may have been leaked, and the API key has been removed by the partner exchange. We urge you to create a new API key at that exchange.

https://3commas.io/blog/3commas-security-update-october-20

However, after the announcement was made, more victims began to emerge.

A victim from Paraguay told Wu Says that he lost nearly 104 bitcoins in the attack, emphasizing that FTX had known about the vulnerability since October 19, and he was attacked two days later! 3Commas claimed it was a phishing attack, but he had never used his 3Commas account to set up a bot, and that account had even expired and been downgraded to a free account. He hadn't accessed that account for over a year and had never saved the key or API key in any document, only using it over a year ago to establish a connection with FTX. He is also an IT engineer, and his laptop and smartphone are protected by Norton 360 and other mechanisms actively preventing phishing or virus attacks.

Another victim from China involved in quantitative trading also stated that he had never used 3Commas. In his screenshots, there were unauthorized trades involving DMG on the 19th, 20th, and 21st, but FTX had taken no preventive measures.

https://twitter.com/littlesand2/status/1583830658203283456

As public opinion intensified, on October 24, SBF finally responded, stating that they would compensate 6 million USD, but "this is a one-time event, and we will not develop a habit of compensating for phishing attacks using counterfeit versions from other companies." Users have since received the compensation amount. The attackers of the FTX coin theft incident have transferred their profits to Binance and FixedFloat exchanges. SBF stated that if the attackers return 95% of the stolen funds within 24 hours, they will be exempt from legal liability.

Currently, both FTX and 3Commas insist that users logged into fake phishing websites, leading to the leak of the API KEY. Victims, of course, disagree with this. However, the core of the incident is indeed the leak of the API KEY. Since the data is held internally by 3Commas and FTX, the disclosed information is currently very limited, so the truth may not be fully understood by the outside world. In summary, the authorization and management of API KEYS need to be more cautious.

On the evening of the 24th, according to @xexploreeth's latest research, due to the API KEY leak, in addition to FTX users suffering millions of dollars in losses from the coin theft, exchanges Binance US and Bittrex also suffered similar attacks, using the small coins SYS/USD and NXT/BTC, with losses reaching 1053 ETH and 301 ETH, respectively. When the attack occurred, the trading volume of FTX's DMG/USD increased by a thousand times, and the price fluctuated 2-3 times, constituting a significant abnormal trading event, but FTX did not immediately intervene, and the problem continued to occur multiple times, thus also needing to bear some responsibility (SBF also promptly compensated user losses), and other exchanges should pay more attention to this.