• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 

Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

The FBI warns that Scattered Spider is now targeting the airline sector

 | 

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

 | 

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Report: how cybercriminals abuse API keys to steal millions

Report: how cybercriminals abuse API keys to steal millions

Pierluigi Paganini May 21, 2021

CyberNews researchers found that crooks could abuse cryptocurrency exchange API keys and steal cryptocurrencies.

Original post available here: https://cybernews.com/security/report-how-cybercriminals-abuse-api-keys-to-steal-millions/

CyberNews researchers found that cybercriminals are able to abuse cryptocurrency exchange API keys and steal cryptocurrencies from their victims’ accounts without being granted withdrawal rights. At the same time, more than $1,000,000 in cryptocurrency is being held in accounts that have their API keys exposed on public code repositories.

As the cryptocurrency market exploded over the past few years, companies began to offer apps and services to help traders streamline their trading process.

To use these services, traders can grant third-party programs access to their personal accounts on cryptocurrency exchanges via API keys that allow these programs to perform actions on their behalf, including opening and executing automatic trade orders without logging into the exchange.

Each set of API keys includes two important elements: the public key and the private key, commonly referred to as the public key and the secret key. The secret key is used by third-party apps to sign operation requests and tells the cryptocurrency exchange that the app is authorized to access a trader’s account and carry out the operations supported by the API key.

Naturally, having your API keys exposed or stolen by cybercriminals can result in catastrophic consequences. With that said, even if someone else steals your secret API key, they shouldn’t be able to simply transfer your cryptocurrency balance to their own wallet, as cryptocurrency exchanges disable API withdrawal permissions by default.

However, while conducting threat intelligence operations, our researchers found that in recent weeks, the number of trade offers for stolen cryptocurrency exchange API keys appeared to be steadily increasing across hacker forums. 

Apparently, there’s an emerging criminal business model, with ‘experienced trader’ teams offering to ‘clear out’ crypto exchange accounts by exploiting stolen API keys.

Needless to say, this caught our attention. To help cryptocurrency exchange users protect their hard-earned coins, we decided to investigate this emerging trend and learn as much as we can about how these API keys are being exploited by threat actors.

What we found was incredibly alarming: it appears that stolen API keys for cryptocurrency trading apps are being used by cybercriminals to easily empty their victims’ accounts on all major cryptocurrency exchanges. 

Even worse, criminals can easily circumvent “trade-only” settings on the API keys and steal money from traders’ accounts even without obtaining their account credentials or withdrawal rights. 

How cybercriminals abuse stolen API keys

Usually, cryptocurrency exchanges offer three types of API permissions to traders:

  • Data permissions allow APIs to read your exchange account data, including open orders, balances, and trade history, without making any changes to your account. 
  • Trade permissions allow APIs to execute trades, place open orders, and close orders on your behalf.
  • A withdrawal permission allows APIs to withdraw cryptocurrencies from your exchange account and transfer them to another location. With this permission enabled, an app would be able to move your funds to another wallet without your say-so.

For security reasons, cryptocurrency exchanges disable the withdrawal permission by default. With that said, most of the ads posted on cybercriminal forums claim that their owners were able to withdraw up to 80% of their victims’ cryptocurrency balance, which they would then split with the owner of the stolen API keys.

(An example of an API key exploit service ad on a hacker forum: ‘experienced traders’ offering to withdraw up to 80% of funds from compromised exchange accounts, depending on the exchange)

This would make you think that the criminal service providers behind those ads would require stolen API keys that have been granted withdrawal permissions. However, after conducting a series of tests, we were not able to find a single stolen API key for sale with withdrawal rights enabled. 

Were criminals able to withdraw funds without withdrawal rights?

Unfortunately, to steal funds from exchange accounts, threat actors don’t even need to withdraw them directly: by trading on their victims’ behalf with the appropriate permissions, they can simply trade away their balances via outrageously unprofitable trades against bots set up by the criminals themselves.

During our investigation of the stolen exchange API key abuse techniques used by cybercriminals, we learned that threat actors primarily employ two API key exploitation methods to steal funds from traders: ‘sell wall’ buyouts and price boosting. 

Note: we successfully tested these methods ourselves on our own account on the Binance cryptocurrency exchange, and it seems that accounts on all popular crypto exchanges can be potentially exploited this way.

Buying ‘sell walls’

‘Sell walls’ are a common market manipulation technique employed both in the stock and cryptocurrency markets. In the world of crypto, these are massive market sell orders artificially created by market manipulators in order to lower cryptocurrency prices or keep them below the maximum threshold and buy up a lot of coins on the cheap.

In many cases, these massive orders will only appear for minutes or even seconds at a time, and then get removed altogether.

Our investigation found that cybercriminals use the same ‘sell wall’ technique, but with a twist. In this case, the ‘sell walls’ are created by threat actors using compromised trader accounts, set up using their stolen API keys.

According to CyberNews researcher Martynas Vareikis, in order to generate a price movement, criminals set up their trading bots to open many small sell orders below market value – or a single massive sell order if the victim’s account balance is big enough – while at the same time, the same bot opens automatic buy orders for the coins that the victim is forced to ‘sell’.

“This creates a visible ‘sell wall’ in the buy/sell order chart of the cryptocurrency exchange, where legitimate trading bots usually manage to buy up to approximately 20% of the ‘wall’ before their trade balances become exhausted, leaving the other 80% to the trading bots set up by the criminals,” says Vareikis. 

After completing one sell order at an incredibly low price, another order is immediately set up to sell more coins, causing an even bigger loss to the victim. Rinse and repeat, however many times it takes to gradually sell the victim’s entire account balance to the threat actors’ trading bots at deflated prices. 

This way, the victim’s funds can completely evaporate in mere milliseconds, as this is all the time needed for such automatic trade order executions to take place.

Price boosting

Price boosting is the second technique commonly used by criminals to exploit stolen API keys. This method involves buying cheap coins whose trading volume is very low to briefly increase their price, and then selling them back to the victim at extortionary rates. 

Criminals begin their operation by depositing an extremely cheap, unpopular cryptocurrency within their own middleman account before exploiting the victim’s account. 

Then, around 80% of the victim’s account is used to initiate a big buy order for the same cryptocurrency. The low trading volume is what allows cybercriminals to massively inflate the price of the coin simply by initiating large buy orders.

At the same time, the middleman account is used to SELL the inflated coin to the victim for a boosted price. After the orders are executed, the trade volume and price go back to normal, leaving the victim with a bunch of virtually worthless coins that they were forced to buy from the threat actors at outrageous prices.

How cybercriminals obtain stolen API keys

There are several ways for cybercriminals to acquire someone else’s API keys without installing malware or spyware on their device. This includes scanning publicly accessible web application environment files and public code repositories for leaked private keys. 

Most web applications use environment (ENV) files to store framework settings that are essential for an application to work, and may in certain cases include API keys. In most cases, these files are stored under lock and key. However, sometimes they are left unprotected, which means that anyone, including cybercriminals, can access their contents and extract any useful information found within.

Similarly to ENV files, files stored in public code repositories can contain exposed authentication tokens. Public repositories such as GitHub are notorious for being goldmines for cybercriminals, with some storing hundreds of thousands of leaked credentials, files, and – you guessed it – API keys.

Aaron Jones, Lead Cyber Instructor at University of Advancing Technology, says that API keys are valuable, which makes them highly sought after by cybercriminals. “API keys should NEVER be pushed to websites like Github or Gitlab but instead should be abstracted from your application in a file that has been added to a gitignore file,” adds Jones.

“Criminals usually snag API keys the easy way, harvested in sitting duck S3 buckets, hard-coded into github-posted source code, or even phishing. You’d be amazed how often 

this happens. API access is, by definition, a network event. Log and analyze your activity so you see the attempts early on. This is especially true with crown jewels like API keys,” says Stel Valavani, founder and CEO at onShore Security.

Our own tests conducted during this investigation have shown that on average, exchange API keys found in public repositories belong to accounts that hold about $5,000 worth of cryptocurrency, with the highest account balance reaching $154,000 – with trade rights enabled. 

The overall net worth of exchange accounts that had their API keys exposed on public code repositories was more than $1,000,000 in cryptocurrency.

(Example of publicly committed source code of a cryptocurrency trading bot, with Binance API keys visible to everyone)

Even though no exposed API keys we found during our investigation had withdrawal rights enabled, more than 90% had granted trade permissions, which would let cybercriminals easily empty out the victims’ trading accounts.

How to protect your API keys

If you’re a crypto trader, here are a few simple steps you can take to protect your API keys from being abused by ‘experienced traders’ who like to advertise their services on hacker forums:

  • Whitelist your IP address. Major cryptocurrency exchanges allow whitelisting IP addresses for API key usage. Enabling this feature will stop most criminals from trading away your balance, as long as they don’t have access to your trading bot control panel.
  • Treat your API keys as the private key of your cryptocurrency wallet. Namely, don’t store them on your hard drive and do not disclose them to anyone. If your API keys get into someone else’s hands – your money is as good as stolen.

Alex Bodryk, Managing director at Cyberlands, adds that rotating your API keys and passwords each quarter will help protect against cybercriminals leveraging old data leaks to gain access to your exchange account. “Be vigilant and don’t reply to any communication from a crypto exchange. Instead, reach out to them via official channels. Install and update antivirus software from a well-known vendor. Use a password manager for protecting your secrets – and never store any API keys or passwords in clear text,” says Brodyk.

According to Troy Gill, GPEN, threat hunter, and manager of security research at Zix, due to the risky nature of enabling trades via APIs, it can be a good idea to have a dedicated personal machine that is used solely for this purpose. “Avoid connecting to any public networks, do not use that machine for browsing, email, or other web-related activities. If you suspect you may have exposed your API data, delete your key (in the exchange) immediately,” concludes Gill.

Original post available here: https://cybernews.com/security/report-how-cybercriminals-abuse-api-keys-to-steal-millions/

About the Author: Edvardas Mikalauskas

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, API keys)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

API Keys cryptocurrency Cybersecurity Hacking hacking news information security news Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini June 29, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51
Read more
Pierluigi Paganini June 29, 2025
Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

    Breaking News / June 29, 2025

    Security Affairs newsletter Round 530 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / June 29, 2025

    The FBI warns that Scattered Spider is now targeting the airline sector

    Cyber Crime / June 28, 2025

    LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

    Malware / June 28, 2025

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT