statcounter
StatCounter analytics tag hijacked to steal gate.io withdrawals
ESET disclosed on 2018-11-06 that attackers had injected malicious JavaScript into the official StatCounter tracking script `www.statcounter.com/counter/counter.js` on 2018-11-03, served to roughly 2 million sites embedding StatCounter analytics. Conditional code triggered only on URI paths matching `myaccount/withdraw/BTC` — i.e. the gate.io cryptocurrency exchange's BTC withdrawal page — and pulled a second stage from the lookalike `statconuter.com/c.php`. The payload silently rewrote the destination wallet on Bitcoin withdrawals to attacker-controlled `1JrFLmGVk1ho1UcMPq1WYirHptcCYr2jad`, capping at the user's daily withdrawal limit. Gate.io stopped using StatCounter on 2018-11-06 and StatCounter removed the script the same day.
- Date
- 2018-11-03 to 2018-11-06
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Cryptocurrency theft
- Cause
- Website compromise
What Was Affected
Incident Context
- Motive
- Cryptocurrency theft
- Attribution
- Unknown attacker
- Transitive
- Yes
- User Impact
- 2000000
- Observed Duration
- 3 days
Evidence
Compromised Artifacts
External References
Source Data
Source record: proprietary/statcounter/meta.yaml