3Commas Fails to Protect Users’ Crypto Accounts from Theft, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims 3Commas Technologies OÜ is responsible for a data breach that leaked the personal information of at least 100,000 consumers and led to nearly $22 million in cryptocurrency being stolen from users.

The 62-page lawsuit, filed by 13 individuals who purchased 3Commas service plans, claims the Estonia-based automatic crypto trading software provider failed to encrypt personal data stored in its servers, resulting in an ongoing data breach that began in October 2022. Moreover, the case alleges that 3Comma knew the cyberattack had occurred but refused to take responsibility until evidence against the company became undeniable.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the suit, 3Commas offers software known as a crypto trading “bot” that will automatically make trades on cryptocurrency exchange platforms on behalf of a user when specified conditions are met. The case explains that before making an automated trade, bots must receive access to an application programming interface (API) key, or “secret credentials generated by each platform” that allow the bots to trade on a user’s behalf. Per the case, API keys are specific to each user and trading platform and must be manually generated on the platform by users and then provided to 3Commas.

The complaint states that in October and November 2022, a nefarious actor used API keys belonging to at least 48 consumers to make hundreds of unauthorized trades on various cryptocurrency exchange platforms, costing some users hundreds of thousands of dollars in lost value.

“Attacks against 3Commas customers have continued since, with new victims surfacing at a rapid pace,” the suit states.

Responding to rumors that 3Commas had leaked customer APIs or had its API database hacked, the company published a November blog post that claimed that there had been “no breaches on the account security and API encryption systems of 3Commas or our partner exchanges,” the filing reads.

The blog post asserted that victims had been tricked into giving their API keys to cybercriminals through phishing schemes, including by building a “fake website resembling the automatization engines’ interfaces on its own website and lur[ing] a few customers into re-entering API keys,” the suit relays.

Per the complaint, 3Commas continued to stand by this explanation, even though many affected individuals said there were no 3Commas phishing websites in their browser histories, or that they had used security protocols that could not have been breached through the alleged phishing attempts.

However, the case says, the truth came to light when an unknown hacker’s now-deleted December 2022 Pastebin post revealed that they had gained access to the 3Commas database and stole over 100,000 user API keys.

“[T]he unknown hacker stated that ‘3Commas [] sold your information to the biggest bidder and now they claim that the problem is not on their side,’ indicating that they had obtained the stolen API keys directly from 3Commas themselves either through illicit purchase from 3Commas or at least through a direct exploit, and not by phishing individual 3Commas users,” the case reads.

That same day, 3Commas admitted that it had been hacked, even though the company knew about the data breach long before the hacker’s announcement, the complaint alleges. The lawsuit explains that 3Commas began revoking all API keys connected to its website only after the hacker had publicly exposed the breach and used the stolen data to make unauthorized trades.

“Had 3Commas come forward and admitted within a reasonable time that it had suffered a data breach which leaked the API keys of, at minimum, over 100,000 of its users, 3Commas users could have and would have taken prophylactic steps sooner to protect their linked Cryptocurrency accounts,” the case argues. “Further, 3Commas could have and should have revoked all API keys connected to their website as soon as they discovered that the API attacks could not be attributed solely to phishing schemes carried out on its users.”

Contrary to 3Comma’s privacy policy claim that it takes “necessary technical and organizational security measures” to protect its customers’ personal data, independent investigations found that 3Commas does not encrypt the sensitive API data it stores on its servers, the lawsuit alleges.

“This means that any individual –whether a 3Commas employee or nefarious actor – with access to 3Commas’ webservers can easily view the sensitive API data of 3Commas customers,” the case says.

The lawsuit looks to represent anyone in the United States who purchased a 3Commas service plan and provided their personally identifiable information, including their API data, to 3Commas and who subsequently had their API data exposed as a result of the data breach 3Commas suffered beginning in late 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.