Though the malicious code was also injected into other hundreds of thousands of websites using the StatCounter service, the script only gets activated when the URL or content of the webpage contained a specific Uniform Resource Identifier (URI): myaccount/withdraw/BTC. The “myaccount/withdraw/BTC” URI is exclusively associated with a gate.io webpage that offers users to make Bitcoin withdrawals and transfers.
The malicious script was intended to replace the destination Bitcoin address of transfers with an address belonging to the hackers.
Attackers successfully breached StatCounter on November 3, and ESET notified the company on November 5 when it discovered the hack, which the security firm labeled as a “supply chain” attack because the malicious script has appeared on the service used by the target.
“Even if we do not know how many bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular, a cryptocurrency exchange,” the researcher says.
StatCounter removed the malicious script on November 6, several hours before the Gate.io cryptocurrency exchange platform stopped using the popular analytic service to prevent further damage.Gate.io also claimed the company subsequently scanned its website with 56 antivirus products, and “no one reported any suspicious behavior at that time.”
The exchange also reported that its “users’ funds are safe,” but it did not reveal how many customers who performed transfers between November 3 and 6 had lost their funds, neither promised to reimburse those users. Gate.io also urged its customers to maximize the security levels on their accounts by enabling two-factor authentication (2FA) and two-step login protection.