Main navigation

Hack Alert: Binance Accounts Still Vulnerable to 3Commas API Flaw, Traders Say

Sat, 12/10/2022 - 15:54
article image
Vladislav Sopov
At least two traders lost their deposits on Binance (BNB), largest crypto exchange, as result of known 3Commas API vulnerability
Hack Alert: Binance Accounts Still Vulnerable to 3Commas API Flaw, Traders Say
Cover image via
Read U.TODAY on
Google News

Seasoned poker player and trader with 280,000 followers on Twitter found that their deposits on Binance (BNB) had disappeared. It looks like their losses should be attributed to the vulnerability unveiled in mid-October.

Hackers target Binance (BNB) accounts: Who is in danger?

Binance (BNB) users have had their accounts drained by attackers through a well-known vulnerability of 3Commas trading bot API instruments, according to a statement by Rodion Longa, founder of the Worldpokerdeals portal. His losses are estimated at $450,000 in Binance USD (BUSD) stablecoins.

Longa recalled that he has not used 3Commas trading bot API in the last 11 months, so there is no possibility of a phishing attack. He had even forgotten about the fact that an API connection was established on his Binance account.

Almost simultaneously, a similar issue was reported by an anonymous trader who goes by @coinmamba on Twitter. The trading veteran stated that he had only connected his API to 3Commas services and had also forgotten about the fact.

He immediately reported the issue to the Binance (BNB) team and asked for a compensation. However, he said that his core motivation was to make the platform take action to prevent such attacks from happening again.

Binance (BNB) restricts operations of affected trader, here's why

Changpeng "CZ" Zhao responded to Coinmamba and stated that his case cannot be eligible for Binance's SAFU compensation program as this might unlock attractive opportunities for abuse:

Mamba, there is almost no way for us to be sure users didn't steal their own API keys. The trades were done using API keys you created. Otherwise we will just be paying for users to lose their API keys. Hope you understand.

In a few hours, Coinmamba unveiled that his Binance (BNB) account was put in "withdraw only" mode. He shared a screenshot of a tweet allegedly deleted by CZ, where the Binance CEO called the trader "unreasonable" and called the entire situation a "two-sided walk."

Coinmamba concluded that the account was restricted due to "his tweets."

As covered by U.Today previously, a number of reports flooded crypto Twitter in October-November 2022: traders noticed that attackers started using the 3Commas API to pump and dump low-cap coins via Binance accounts.

Scam Alert: New Method of Stealing Coins Emerges

In an official statement, the 3Commas team assured users that no keys were leaked on their side.

article image
About the author

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.

Worked in independent analysis as well as in start-ups (, Monoreto, Attic Lab etc.)