3Commas Denies Allegation About Stolen APIs

3Commas Denies Allegation About Stolen APIs

According to 3Commas, there were no thefts of API keys by any of their staff members. According to the crypto trading firm’s announcement, users’ API keys have not been leaked.

Fake Claims

As a result of the latest saga of API keys and attacks on exchanges, according to an official announcement from 3Commas, individuals are spreading screenshots of Cloudflare logs on Twitter and YouTube, which are being circulated as an attempt to convince people that there was a vulnerability within 3Commas, and we were irresponsible enough to allow the public to access log files and user data. As far as the screenshots are concerned, according to the company, they are fake.

One of the claiming tweets says:

It is clear that the person who created these screenshots did a nice job using an HTML editor to create the screenshots, but they made a few key mistakes that allowed their claims to be easily disproved by the screenshots.

In the blog post, the company discusses trust in the following way:

“We’re not asking you to place blind trust in 3Commas. We are asking you to critically evaluate the information we’re providing and compare it to the accusations and fake evidence being circulated by people on Twitter, YouTube, and other platforms.”

Three of the four proofs that 3Commas provides in their announcement about the screenshots being fake are within the announcement. There are several of them who claim that on the screenshots of these allegedly hacked logs, the date of the logs is November 2, 2022.

It is claimed that the company knows for sure that “Instant logs” have been activated over the past 12 months and has verified this with Cloudflare customer service in order to confirm that this has not been the case. 

On November 22, 2022, the first log entry related to the activation of the feature appeared. At the time, a video was posted on YouTube with a fake screenshot, which the team checked and discovered was also a fake. So, in other words, none of their employees had access to the Cloudflare account, nor anyone else in the company had access to it to activate it.

It is also not technically possible to delete the log files that show that the “Instant Logs” tool has been activated in Cloudflare and that the log files can be deleted.

Another type of proof is one where the screenshots are analyzed, and flaw points are highlighted. The public relation announcement and detailed explanation may solve the issue for now, but after all, these allegations have surely impacted the fame of 3Commas for the time being. In order to determine whether or not users trust the company, we need to wait and see what happens.