3Commas, a platform that enables users to build automated trading bots, announced Oct. 21 that three of its customers’ keys were used to execute unauthorized trades on its partner exchange accounts.
An investigation revealed that the affected users were phished using fake 3Commas websites, indicating that the keys were stolen outside 3Commas.
Crypto exchange FTX’s CEO Sam Bankman-Fried tweeted Oct. 24 that several other users had also fallen prey to other phishing attacks that emulated sites like 3Commas. While FTX cannot stop miscreants from creating fake sites of other crypto services, as a “ONE TIME THING,” the exchange will compensate users who collectively lost $6 million, he said.
13) But in this particular case, we will compensate the affected users.
THIS IS A ONE-TIME THING AND WE WILL NOT DO THIS GOING FORWARD.
THIS IS NOT A PRECEDENT.
We will not making a habit of compensating for uses getting phished by fake versions of other companies!
— SBF (@SBF_FTX) October 23, 2022
Bankman-Fried elaborated that FTX has a team dedicated to thwarting bogus FTX clones and that the exchange has “a huge number of controls” to prevent fake sites from attacking FTX accounts. He added that while “it was a lot of work,” the attempts to prevent phishing attacks have been “mostly successful.”
Bankman-Fried pointed out that phishing “sucks” and is “something we should be fighting as an industry,” unlike at present, where each company has to try and squash phishing attempts by itself.
In the current phishing attacks, FTX and other exchange users unwittingly provided their API keys to use the trading services on the fake platforms, SBF explained. While the methods may have varied with the different target sites, in each case, the victims were exploited by “third party attackers,” he wrote.
SBF further suggested asking the scammer to return 90% of the loot, roughly $5.7 million, in exchange for absolution. He added that he hoped other exchanges, such as Binance, whose users were affected by the scam, will also compensate the victims. But he repeated his warning, that it is not a “precedent” and in the future, FTX will not compensate users who willingly give out information in phishing attacks on external sites.