Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on November 7, 2018

Hackers infect nearly 700,000 sites with Bitcoin-stealing malware

... but just one cryptocurrency exchange was the real target


Hackers infect nearly 700,000 sites with Bitcoin-stealing malware

Cryptocurrency hackers have attacked one of the internet’s most used traffic analytics services, StatCounter, in order to siphon Bitcoin from users of online exchange desk Gate.io.

In a targeted attack, hackers breached StatCounter to such an extent that over 688,000 websites were caught loading the malicious script, ZDNet reports.

StatCounter is much akin to Google Analytics, in that it allows analysis of the internet traffic flowing through websites. Webmasters must add special StatCounter code to their sites in order to get the statistics, an aspect of its design that hackers appear to have leveraged to spread their malicious code as widely as possible.

The attack redirected the Bitcoin of cryptocurrency traders, particularly when Gate.io users withdrew or transferred their Bitcoin. The code simply replaced any Bitcoin address entered into the page with one owned by the hackers.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Security researchers from ESET, a Slovakian cybersecurity firm, were the first to discover the exploit, which it describes as a “supply-chain attack.”

ESET notes that while close to a million websites were affected, the entire threat seems to have been localized to one particular URL domain: Gate.io, a cryptocurrency exchange currently handling over $1.7 million worth of Bitcoin every day.

According to ESET, the malicious code wouldn’t actually do anything unless the link contained a specific string: “myaccount/withdraw/BTC.” Researchers identified Gate.io to be the only website using a URL that contained this string.

Despite the security breach lasting days, it’s difficult to say just how many individuals were affected by the attack, or even how much the hackers managed to make away with.

ESET notes the script automatically generated a new Bitcoin address each time it was run. This effectively neutralizes the ability to link Bitcoin transactions together in a meaningful way, which frustratingly protects the identity of the attackers.

Gate.io says it will remove StatCounter from its website altogether. It also urged users to enable two-factor authentication and two-step login protection.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top