Cybercriminals Compromise StatCounter To Steal Bitcoin From Gate.Io Exchange

Kevin O'Brien

A staff member from IT security company ESET wrote on November 6th about company research into an attack on a cryptocurrency exchange with the use of malicious JavaScript.

Matthieu Faou said cybercriminals managed to get their way inside of StatCounter, a well-known website similar to Google Analytics that gives people information about visitors.

The attackers managed to insert a bit of malicious code into an external JavaScript tag webmasters often use from StatCounter.

They were then able to steal cryptocurrency from the Gate.io exchange once the malicious code was embedded into the pages of its website.

Gate.io The Main Target

ESET said the Gate.io exchange seemed to be the target of the scheme even though millions of different websites could have utilized the modified code.

The security company cited data from coinmarketcap.com in their post to note how several million dollar's worth of transactions flows through the exchange each day.

According to ESET, the malicious script “tries to redirect any bitcoin transactions to one of several wallet addresses controlled by the masterminds of this attack,” if that specific path is “accessed by a visitor.”

Overall, the scheme was designed to make it virtually unnoticeable to the victims. Reporting said the exchange has stopped using StatCounter and removed its script from their website.

Questions About Number of Bitcoins Stolen

There are questions about how many bitcoins were taken in the scheme because a new bitcoin address was created each time the malicious script was forwarded to a victim.

Trying to determine losses is also complicated due to the use of multiple wallets by the attackers.

Reports explained that ESET notified StatCounter and Gate.io about the scheme.

The company said the theft was an example of how “far attackers go to target one specific website, in particular a cryptocurrency exchange,” especially since they “compromised” a well-known website to steal from just one exchange.

Reporting by Zdnet noted how the situation with StatCounter is yet another example of “recent supply-chain attacks” where third party JavaScript has been loaded onto websites.