Update: According to 3Commas' official statement, platform's API keys haven't been stolen and the account system works as intendant. The most likely reason behind the stolen funds on FTX was a phishing attack conducted with inauthentic websites mocked up to resemble the 3Commas UI.
According to the most recent WuBlockchain report, hackers found a new way of stealing users' coins directly from centralized exchanges like FTX. On Oct. 19, the first report appeared as users lost $1.6 million worth of cryptocurrency while using 3commas API.
As the user's detailed trading history shows, someone traded DMG more than 5,000 times and stole $1.6 million worth of BTC, ETH, FTT and other digital assets from his account. The most likely reason behind the sudden disappearance of funds from the account is a breach in 3commas API that allowed hackers to take control of the account and conduct suspicious trading activities.
A new method of stealing coins is emerging: contra trade. On October 19th, a user suddenly found that his FTX account using the 3commas API was trading DMG more than 5,000 times, stealing nearly $1.6 million such as BTC, ETH, FTT, etc. from his account. pic.twitter.com/cpxoCSdLiZ— Wu Blockchain (@WuBlockchain) October 21, 2022
The victim submitted the police case filing notice, but FTX did not take any action to prevent other users from the attack via trading API or issue any statement that would lead to freezing funds.
According to 3commas, there were no leaks, and the service is functioning normally. In cases in which 3commas is not tied to the problem, FTX remains the only source of the hack, which makes it exponentially worse than almost every user on the exchange and may become the target of a hacker.
If 3commas is part of the problem after all, the whole situation can be solved quickly by temporarily limiting the company's access to FTX users' accounts until the exchange's security establishes the problem.
However, the breach in the security of one of the biggest exchanges in the whole industry would have been noticed quicker by a variety of security specialists who analyze the safety of users' funds. Unfortunately, the lack of reaction from both parties creates unnecessary risks that investors will have to take on.