The firm's Matthieu Faou said gate.io was a popular exchange, with millions of dollars, including US$1.6 million in bitcoin, being transacted every day.
Statcounter has more than two million members and calculates Web statistics on more than 10 billion page views each month. Its Alexa ranking is a little above 5000.
The inserted code had the effect of creating a Web page that would transfer bitcoin from a gate.io account to an external bitcoin address.
|
The redirection of the withdrawal was probably not noticeable by victims, as it happened after they clicked on the submit button, he pointed out.
"Even if we do not know how many bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange," Faou said.
"To achieve this they compromised an analytics service’s website, used by more than two million other websites, including several government-related websites, to steal bitcoin from customers of just one cryptocurrency exchange website."
And, he added, "It also shows that even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource.
"This is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice."
Contacted for comment, Stacounter's Aodhan Cullen said: "The extra piece of Javascript code has been removed.
"We are using a content delivery network to speed up the delivery of our service to our users around the world. We suspect that it was through the CDN that the extra piece of Javascript was added.
"We're investigating currently. We'll let you know when we have more details."