Crypto trading firm 3Commas has denied its employees’ stole user’s API keys, claiming that screenshots circulating on social media are fake and urging affected users to file police reports to stop the perpetrators from stealing their funds. 

In a blog post published on Dec. 11, 3Commas co-founder and CEO Yuriy Sorokin said that fake screenshots of Cloudflare logs are circulating on Twitter and YouTube “in an attempt to convince people that there was a vulnerability within 3Commas and that we were irresponsible enough to allow open access to user data and log files.” The alleged screenshots intend to show how customer’s API keys were exposed in 3Commas dashboard on Cloudflare.

In an another blog post, on Dec. 10, Sorokin encouraged affected users to file a police report to get their exchange accounts frozen. “The faster this is done, the faster exchanges can freeze the accounts of the perpetrators to stop funds from being withdrawn and increase the likelihood that some, or all, of the funds may be returned to victims.”

Since the majority of crypto exchanges follow Know Your Customer standards, users are required to provide identity details to trade or withdraw funds. If affected users provided a police report, exchanges would be able to share this information with investigators, noted the company.

As reported by Cointelegraph, a crypto trader who goes by CoinMamba on Twitter had his account closed Binance after he complained about lost funds. The leaked API key was tied to a 3Commas account. Both Binance and 3Commas deny any responsibility for the incident.

3Commas claims to have identified evidence of phishing attacks as a “contributory factor” for thefts. According to the company, the phishing attacks started in October, with bad actors trying different techniques. Sorokin stated:

“Also, we have hard evidence that phishing was at least in some part a contributory factor; we published a blog article here showing many fake 3Commas websites that were created and some are still live on the internet, despite our best efforts to have them taken down.”

Exchange API connections older than 90 days are being disabled by the company.