The attack target appears to be cryptocurrency trading site Gate.io, the report says, given that it is the only one that uses the “myaccount/withdraw/BTC” Uniform Resource Identifier (URI).
“The users’ funds are safe,” Gate.io said, but it urged customers to maximize the security levels on their accounts.
ESET said it notified the company as soon as it discovered the hack, which it labeled as a “supply chain” attack, given where the malicious code appeared. The company said Wednesday that it has stopped using StatCounter’s services and removed the malicious script.
Most of the malicious bitcoin transactions were undetected initially by users, ESET says, because the redirection in addresses only occurs after the transfer is submitted.
Gate.io handles several million dollars in transactions daily, according to coinmarketcap.com.
ESET notes that the attacker’s domain had already been suspended in 2010 for abuse.
StatCounter is used by more than 2 million websites and generates stats on more than 10 billion page views per month, according to StatCounter’s website.