Hackers Exploit Tracking Service to Infiltrate Bitcoin Exchange Gate.io

crypto bitcoin exchange hack

Statcounter is one of the oldest third-party user tracking services on the web, having existed since 1999. Beginning as a simple statistics and visitor counting service, Statcounter over time grew into what it is today: a full-fledged, enterprise-quality analytics service.

Gate.io, a more recent entrant in the bitcoin exchange space, used Statcounter to track user traffic until this week when a security researcher named Matthieu Faou discovered a breach in the Statcounter JavaScript file which was specifically targeted at Gate, capturing and hijacking bitcoin transactions made through the Gate interface.

Faou works for ESET, a security firm on the order of MalwareBytes or Norton, which provides consumer and enterprise security products and necessarily conducts research and penetration tests. He says the compromise was designed to replace bitcoin withdrawal addresses on the Gate.io platform with addresses belonging to the attacker.

Primary Script Was Compromised, But Only Gate.io Was Targeted Courtesy of ZDNet

The attack was more sophisticated than some previous attacks of the same nature, such as malicious malvertising based attacks which installed themselves and did the same thing across websites, living in the browser rather than a piece of code on a single site. More sophisticated because the attackers generated a new address for each attack, making it extremely difficult to track the destination of the stolen funds.

Its thus difficult to determine exactly how many users were affected. Its also unknown how the breach went down in the first place via Statcounter.

The malicious code specifically targeted a relevant sector of the Gate.io code – namely, its withdrawal interface – and to Faous knowledge, the part of the script dedicated to stealing funds would not have worked on any other site because other sites are designed differently.

In response to the attack, Gate.io has removed the Statcounter script from their site.

Gate.io Says No Damages

According to a blog post by Gate.io, nothing actually happened as a result of the attack. This can only mean a couple things.

One, the script was poorly written and failed to actually do its job.

Two, ESET and Faou discovered the attack before anyone made a withdrawal on which the JavaScript would fire.

On Nov. 6, 2018, we got the notice from ESET researchers report and the ESET Internet Security product that theres a suspicious behavior in Statcounters traffic stats service. We immediately scanned it on Virustotal in 56 antivirus products. No one reported any suspicious behavior at that ...

Read full story on CCN

Tags: StatCounter, Bitcoin, Gate, Matthieu Faou