The Season for Crypto Theft

While many of us were enjoying the time spent with family and friends over the festive season, two cryptocurrency platforms were dealing with cyberattacks. In the first incident, BTC.com lost approximately 3 million USD belonging to both customers and the company, following a theft instigated by a cyberattack. In the second incident, crypto platform 3Commas admitted to having their API keys stolen by hackers. For 3Commas this appears to be yet another security incident on top of a list of previously poorly handled incidents, as will be seen later in this article.

Returning to the BTC.com incident, the seventh largest cryptocurrency mining pool announced via a press release that around 700,000 USD of customer money and a further 2.3 million USD in digital assets had been stolen by hackers.

the season for crypto theft

In the company’s own words it was stated,

“...today announced that the Company's subsidiary, BTC.com, experienced a cyberattack on December 3, 2022. In the cyberattack, certain digital assets were stolen, including approximately US$700,000 in asset value owned by BTC.com's clients, and approximately US$2.3 million in asset value owned by the Company.

The Company reported this incident to law enforcement authorities in Shenzhen, China. Due to coordination locally and within the Company internally, some of BTC.com's digital assets have already been secured. On December 23rd, 2022, the authorities had launched an investigation, began collecting evidence, and had requested assistance from and coordination with relevant agencies. The Company will devote considerable efforts to recover the stolen digital assets.

In the wake of discovering this cyberattack, the Company has implemented technology to better block and intercept hackers. BTC.com is currently operating its business as usual, and apart from its digital asset services, its client fund services are unaffected.”

While the company notes that some of the digital assets stolen have been recovered, no indication of the amount recovered has been indicated.

The company has gone on record to state that measures have been taken to prevent further incidents like this from occurring but as to the exact nature of the incident and the measures taken by the company next to nothing has been disclosed.

Sadly, there is currently no information on how the attackers could steal the cryptocurrency or if any data or personal information was stolen during the incident, and the company has not returned requests for comment by publications like Bleeping Computer.

3Commas API Keys Stolen

An anonymous Twitter user used the social media platform for a set of 10,000 API keys allegedly obtained from the 3Commas cryptocurrency trading platform. The anonymous Twitter user claimed that the leak was just 10% of the data set and they had plans to publish all of them in the coming days.

Stealing API keys is critical to how the platform conducts its business. The company uses bots to use these API keys to generate profit for the customers by interacting with cryptocurrency trading exchanges without requiring account credentials, to perform automated investment and trading actions on behalf of the users.

3Commas did confirm via Twitter that leaked files did indeed contain API keys and urged urges all supported exchanges, including Kucoin, Coinbase, and Binance, to revoke all keys connected to 3Commas.

Further users are advised to reissue their API keys linked to exchanges used by the platform and noted that they believe the leak is not an inside job. As for additional security measures the company stated,

“Only a small number of technical employees had access to the infrastructure, and we have taken steps since November 19 to remove their access…Since then, we have implemented new security measures, and we will not stop there; we are launching a full investigation in which law enforcement will be involved,”

Seeing that the company had known a breach had occurred in mid-November, possibly earlier as reports of unauthorized trades began in October of this year, and only announced that it indeed had been breached on December 29, 2022, the possible users of the platform lost money unnecessarily increased dramatically. It is believed many users may have lost funds through unauthorized trades.

The handling of the data breach is much to be desired when considering well-established best practices to follow once such an incident occurs. On November 23, Coindesk reported that users of the Alameda-backed company, a headache all on its own,  had lost approximately 6,000,000 USD following the company leaking their credentials.

At the time the company said those users impacted must have fallen foul of phishing attacks and the company’s infrastructure had not been breached.

Reports of users losing money continued to come in and the company published a report detailing the findings of their investigation into the matter. The company claimed that they could find no evidence of a compromise on their systems. Further, they denied that employees were stealing user API keys to siphon user assets.

No users are demanding full refunds for funds siphoned off. It is unclear if there is a direct relation between the recent Twitter announcements and the claims arising in October, however, given the company’s previous denials and attempts to place blame on their users many more questions need to be answered.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal