Earlier this week, we informed Liquid users that we had conducted an investigation into suspicious trade activity related to third-party services used by clients to access Liquid via API. As a result of our investigation, we swiftly banned a number of suspicious accounts and reached out to impacted users.
To further enhance security for Liquid customers, we will be invalidating all API tokens on Liquid at 7pm JST today. All users who wish to continue to use the Liquid API will need to log in to Liquid and navigate to “API Tokens” under “Account Settings”. There, you will be able to create new API tokens.
Crypto and fiat withdrawals are currently halted and pending withdrawals will be canceled while we carry out this process. Please visit our Help Center, follow our Twitter account or subscribe to our Telegram news channel to be informed when we resume withdrawals. Any withdrawals previously requested will need to be resubmitted. We apologize for any inconvenience caused.
We will continue to do all we can to keep our customers safe. This includes keeping funds secure and making it extremely difficult for any malicious actor to take over any other person’s account. However, we cannot control what happens outside of our exchange platform, including with third-party API services.
As a precaution, we strongly advise Liquid customers to:
- Whitelist IP addresses for API access on Liquid. Instructions can be found in our Help Center.
- Never share API keys with write permission enabled to third-parties.
- Never keep API keys anywhere they could potentially be viewed or stolen. API keys cannot be used to withdraw directly from your account, but if shared with third parties, can cause trade losses on your account.
If you have any questions or concerns, please visit the Liquid Help Center and talk to one of our Customer Champions.