Crypto Traders Take Action Against 3Commas Over Unauthorized Activity on Exchange Accounts

News | May 9, 2024 By:

On Wednesday, April 24, 2024, an amended complaint was filed in the United States District Court for the Northern District of California alleging that the crypto trading bot provider 3Commas Technologies OÜ failed to secure customer API keys, resulting in millions of dollars lost to fraudulent trades.

The complaint was brought by 14 individual investors against 3Commas on behalf of themselves and other customers similarly affected. The plaintiffs alleged that starting in October 2022, many 3Commas users noticed unauthorized trades had been made on their crypto exchange accounts using their API keys, which had been provided to 3Commas for its trading bots to function. API keys are credentials generated by exchanges like Binance and Coinbase that allow third parties limited permission to access a user’s account for purposes like automated trading.

According to the complaint, victims reported “dozens and dozens” of unauthorized trades made with their accounts, selling all assets into low market cap cryptocurrencies that are highly volatile and difficult to liquidate. Some plaintiffs claimed losses of up to hundreds of thousands of dollars due to the fraudulent activity. By November, it was reported that at least 48 3Commas customers had been identified as victims of similar attacks, with total losses said to reach around $6 million across multiple exchanges.

When rumors spread that 3Commas may have suffered a data breach exposing API keys, the company denied this. In blog posts and tweets, 3Commas maintained that victims had been targeted through phishing schemes, where fake websites imitating 3Commas were used to trick users into re-entering their API keys. However, the complaint alleges that many victims found 3Commas’ explanation unconvincing, with some claiming they took security precautions like two-factor authentication that could not have been bypassed via phishing. The deputy CTO of 3Commas was also quoted later admitting “nothing can be told for sure” about the root cause.

The amended complaint filed this week asserts that 3Commas was negligent in its collection and storage of sensitive API keys, in violation of its own terms of service, and that this enabled fraudulent activity on customer accounts. It alleges 3Commas should be held responsible for resulting losses. The filing lists several plaintiffs who claim to have lost hundreds of thousands each due to unauthorized trades, with one stating they utilized Binance’s “Fast API” service, which would not have exposed keys to phishing.

This case highlights the ongoing risks for cryptocurrency users of having digital accounts compromised. While automated trading bots can generate profits, they require trustworthy security practices from providers entrusted with access to funds.

Please contact BlockTribune for access to a copy of this filing.