FTX responded to the report about 3comma, the website for automated trading users exploited on their platform. The crypto exchange CEO, Sam Bankman Fried, said bad actors used a phishing scheme to steal critical information and millions of dollars in cryptocurrency.
Over the weekend, Wu Blockchain reported on several 3commas users claiming a massive loss due to a “Contra Trading” attack on FTX. Bad actors took over the users’ API Keys and were able to force them to set up positions without their knowledge.
The hackers use cryptocurrencies with low market capitalization, such as DMG, MER, and PORT, due to their insufficient liquidity for their USDT trading pairs. By injecting capital into these pairs, the bad actors “counter” the established positions liquidating their counterparties and stealing their funds.
One of the victims, Wu Blockchain, said they never used or signed up for 3commas others created API Keys for FTX but stopped using the service. However, the users never deleted these keys, which later became the bad actors’ possession.
An API Key is a mechanism that enables 3commas to interact with crypto exchange platforms to allow trading bots to operate based on specific parameters and strategies. The hackers accessed the funds in the users’ wallets by taking over these keys. The “Counter Trading” attack was a simple way to transfer them from their wallets into the attackers’.
In addition to FTX being attacked by API KEY leak, @x_explore_eth found that @BinanceUS was also attacked similarly, 1053 ETH was stolen, SYS/USD pair was used for contra trading ; and the attack against Bittrex, 301 ETH was stolen, NXT/BTC pair was used. https://t.co/KCBmJFRAIE https://t.co/6fz0tQBPHQ
— Wu Blockchain (@WuBlockchain) October 24, 2022
FTX Takes Responsibility For 3Commas Phishing Scam
The report records at least four victims of this attack, one of them, identified as “Bruce,” claims to have lost $1.5 million in U.S. dollars from October 18th to 21st. Other victims lost over 100 BTC. Sam Bankman Fried classified the event as “frustrating.” Via Twitter, he said:
We’ve mostly stamped out sites that try to phish users by masquerading as FTX. But we can’t fix fake sites impersonating *other* services. A few users accidentally registered at fake other sites, including 3Commas. They provided their FTX api keys to use the sites’ trading tools. Others users were probably phished through other methods. But one way or another, these users were exploited by third party attackers.
While admitting that the attacks were out of their hands, the FTX CEO said the company would take responsibility by making the victims whole. The crypto exchange will cover the victims’ losses totaling around $6 million.
This measure will only apply to FTX accounts and will only be implemented “this once,” Bankman Fried clarified. In addition, the executive will “absolve” the attackers if they return 95% of the stolen funds in the next 24 hours. This deadline will end in the next six hours. The executive said:
(…) this particular case, we will compensate the affected users. THIS IS A ONE-TIME THING AND WE WILL NOT DO THIS GOING FORWARD. THIS IS NOT A PRECEDENT. We will not making a habit of compensating for uses getting phished by fake versions of other companies!