The founder and CEO of FTX, Sam Bankman-Fried (SBF), announced on October 24th via Twitter that the exchange would compensate users of the crypto exchange affected by the recent elaborate 3Commas-related phishing attack. Mr. Bankman-Fried capped the compensation at $6 million and clarified that it was a ‘one-time thing’ which would not set ‘a precedent’ for future incidences.
What Happened and How Were the FTX Customers Phished
The incident he was referring to was an elaborate phishing attack that targeted 3Commas users and managed to extract their FTX API trading keys from them.
An initial analysis by Colin Wu of WuBlockchain revealed that the phishing attack targeted at least four 3Commas who held a significant amount of Bitcoin, Ethereum, and FTX Token on the exchange. One user with an FTX trading account worth $1.6 million lost more than 10 BTC and hundreds of ETH through contra-trading DMG pairs. Another trader told WuBlockchain that they lost 104 Bitcoins. The attacker allegedly transferred the profits made to Binance and FixedFloat exchanges.
An additional investigation by the team at 3Commas and FTX revealed that API trading keys from the crypto exchange were stolen from three users of the trading-bot platform.
The theft occurred outside the 3Commas system through an elaborate phishing attack that used fake websites that mimicked its platform. Victims accidentally used these fake websites to try to connect to their exchange accounts and unknowingly keyed in their trading API keys. The attackers then used the stolen API keys to place unauthorized trades using DMG cryptocurrency trading pairs on the FTX crypto exchange, leading to losses.
A 3rd Party Browser Extension or Malware Could Have Been Used – 3Commas
In his Twitter thread announcing that FTX would compensate the victims up to $6 million, SBF cautioned that phishing attacks had become more elaborate and the exchange had made significant grounds in stamping out fake websites ‘masquerading’ as FTX. He added that was as far as the exchange could do to protect its users from being phished, and crypto companies in the industry would have to ‘separately deal with phishing.’
3Commas team added that it was ‘doing everything possible’ to support its users and theorized that a third-party browser extension or malware could have also been used to extract the trading API keys. Such malware was used to carry out March’s record-breaking $610 million Axie Infinity hack when a senior engineer at Sky Mavis unknowingly downloaded a malicious file that compromised the entire Ronin network systems.
Phishing Attacks Are Becoming More Elaborate
The FTX/3Commas phishing incident demonstrates that attackers are evolving and becoming more sophisticated in their attempts to trick crypto investors and holders into parting with their hard-earned digital assets.
This time, they did not directly go after the users’ accounts or crypto wallets. The attackers used stolen API keys to deliberately have their victims incur heavy trading losses while profiting from them.
How to Protect Yourself From Phishing Attacks
The successful phishing attack and contra-trading prove that the bottom line for attackers remains the same: to access sensitive personal information through social engineering and use it to steal digital assets.
But there is some hope, as one can use the following measures to reduce the chances of being a victim of phishing.
- Being continually up to date on the new ways phishing attacks are being carried out and learning from them
- Using past patterns of phishing attacks to determine potential threats on the internet
- Using 2FA on all accounts associated with trading (crypto exchanges and trading bots)
- Avoid storing passwords and API keys on cloud-based services
- Always doubting links and files sent through email, SMS, and private messages on social media
- Double checking website addresses, email addresses, and usernames on social media to confirm their legitimacy
- Installing firewalls and pop-up blockers
- Being cautious with Google searches as malicious websites can be made to appear at the top of search engine results
- Not getting carried away with free exclusive offers such as NFT mints, airdrops, and whitelists
- Learn how to investigate if a file is malicious by running it in a controlled virtual environment (sandbox) such as Docker