EXCLUSIVE. 3Commas: behind the scenes of a hack that affected hundreds of French people
Hundreds of French people lost several million euros after Estonian company 3Commas, which offers trading bots, was hacked. According to our information, an investigation has been opened in Paris.
It was a Christmas that Pierre* will remember for a long time. On 25 December 2022, this French Binance user logged on to the exchange platform and discovered that his account had been siphoned off. More than €300,000 was gone. He has just over 5,000 euros left...
Between 10.29pm and 11.53pm, 4,200 orders were placed on his account without his knowledge. His cryptos, mainly pounds sterling, ether, Binance USD and bitcoin, were used by the hackers to buy small cryptocurrencies: Akropolis (AKRO) and Mirror (MIR).
The hackers did not choose AKRO and MIR by chance. As these tokens are very thinly traded and illiquid, it is easy to manipulate their prices upwards, and attract other investors who will fuel the spiral, which is what happened on 25 December 2022. Prices rose 9-fold in just a few hours.
While the AKRO and MIR prices were climbing, the hackers took the opportunity to sell their own tokens and amassed a small fortune.
Pierre is obviously not the only user affected. According to our information, there are hundreds of users who have suffered the same scam on different platforms: Coinbase Pro, KuCoin and FTX (now defunct). They are worth several million euros in France alone. More globally, the losses amount to 22 million euros.
All customers of 3Commas
All these victims have one thing in common: they are all customers of 3Commas, an Estonian company that sells trading robots.
Trading robots are computer programmes that automatically trade cryptos on exchange platforms, according to a strategy established in advance; these strategies are more or less offensive.
As part of this case, 3Commas has just been taken to court in France by Pierre and other investors "for damages of between €100,000 and €400,000", says Romain Chilly, partner at law firm ORWL. Proceedings are also under way in the United States.
The company is accused of having failed to take due care in securing its customers' data (in this case API keys that enabled automatic orders to be placed without customer intervention).
After denying any problem, 3Commas admitted on 1 January 2023 that it had suffered a data theft in autumn 2022, a few months before the serial hacks. Some of this data was allegedly used by the hackers.
The start-up is far from an unknown: it was founded in 2017 in Tallinn and claims more than 220,000 customers (who pay $99 a month for its services). It is even one of the world's leading developers of trading robots.
3Commas raised $37 million in September 2022 from German fund Target Global, Alameda Research (the investment fund of FTX founder Sam Bankman-Fried), US market maker Jump Crypto and Dimitri Tokarev, the founder of custody solution Copper.
3Commas wants to protect itself
To date, 3Commas has encouraged its customers to turn against exchange platforms to take advantage of their insurance. However, the Estonian company could well be found liable and several investors are hoping to be compensated.
"This type of case is often quite difficult to resolve through the legal system because you have to file a complaint in the company's country of residence, yet we found that 3Commas was targeting the French in its communications and this allows us to bring the case before the French courts," says lawyer Romain Chilly.
3Commas in fact offers its site in French and had published sponsored articles in specialist blogs hosted in France. In addition, its mobile application is available on the French versions of the AppStore and Google Play Store.
Contacted, 3Commas did not wish to respond to our requests.
() First name anonymised*