Hackers Infiltrate 600K Websites Through StatCounter in Search of Bitcoin

Cybercriminals have hacked one of the largest website traffic analytics platforms on the web, and with it have injected malicious code into over 600,000 websites in an attempt to gain access to Bitcoin held at cryptocurrency exchange Gate.io.

Gate.io Targeted Through StatCounter Backdoor

Matthieu Faou, malware researcher for the Bratislava, Slovakia-based cybersecurity firm ESET, has discovered a line of malicious code in a website traffic-tracking script provided by leading website analytics firm StatCounter, reports ZDNet.

StatCounter, like Google Analytics and Alexa, track various metrics websites use for audience development, sales conversations and much more. Websites are required to add a line of code to their sites, which then tracks these certain website statistics. However, that requirement has turned into a vulnerability, leading to over 688,000 websites loading the line of malicious code.

The nearly 700,000 websites appear to be safe from any potential harm, as the malicious code specifically targets Bitcoin transactions being made through popular cryptocurrency exchange Gate.io. Gate.io is currently ranked 40th by adjusted trading volume, according to data from CoinMarketCap, with nearly $50 million in daily trading volume, making the exchange a prime target for cybercriminals.

The ESET malware researcher says that the code was first added to StatCounter’s website-tracking script on November 3, and the code is still currently active four days later. Faou claims to have reached out to StatCounter, but has yet to receive a response.

“The JavaScript file at www.statcounter[.]com/counter/counter.js is still compromised,” Faou explained.

Faou adds that the malicious code very specifically searches for web pages that contain the URL path “myaccount/withdraw/BTC” – a URL string that is uniquely found on the section of Gate.io that manages a user’s Bitcoin transfers.

The code, Faou says, functions like common cryptocurrency-targeting clipboard malware, where correct Bitcoin wallet addresses are replaced by wallet addresses owned by the cybercriminals who injected the code.

The hackers have also taken steps to hide their tracks, using a different Bitcoin address for each new victim that falls prey to the malware. Users may not even notice the change of address until it’s too late, as the malware is designed to trigger after the user clicks on the submit button to transfer funds. Because of all the uncertainty surrounding the hack, Faou says it is unknown how many BTC the hackers have made off with as a result.

Gate.io has since made a statement on Twitter, claiming to have removed the StatCounter tracking script from its website. However, there still appears to be a vulnerability in StatCounter’s security that could effect any of the two million websites StatCounter services. StatCounter itself is ranked among the top 2,500 websites in the United States, and is ranked 5,072 globally, according to Alexa Traffic Ranking data.