Inside money, markets, and big tech

Hackers infect nearly 700,000 sites with Bitcoin-stealing malware

... but just one cryptocurrency exchange was the real target

Cryptocurrency hackers have attacked one of the internet’s most used traffic analytics services, StatCounter, in order to siphon Bitcoin BTC from users of online exchange desk

In a targeted attack, hackers breached StatCounter to such an extent that over 688,000 websites were caught loading the malicious script, ZDNet reports.

StatCounter is much akin to Google Analytics, in that it allows analysis of the internet traffic flowing through websites. Webmasters must add special StatCounter code to their sites in order to get the statistics, an aspect of its design that hackers appear to have leveraged to spread their malicious code as widely as possible.

The attack redirected the Bitcoin of cryptocurrency traders, particularly when users withdrew or transferred their Bitcoin. The code simply replaced any Bitcoin address entered into the page with one owned by the hackers.

Security researchers from ESET, a Slovakian cybersecurity firm, were the first to discover the exploit, which it describes as a “supply-chain attack.”

ESET notes that while close to a million websites were affected, the entire threat seems to have been localized to one particular URL domain:, a cryptocurrency exchange currently handling over $1.7 million worth of Bitcoin every day.

According to ESET, the malicious code wouldn’t actually do anything unless the link contained a specific string: “myaccount/withdraw/BTC.” Researchers identified to be the only website using a URL that contained this string.

Despite the security breach lasting days, it’s difficult to say just how many individuals were affected by the attack, or even how much the hackers managed to make away with.

ESET notes the script automatically generated a new Bitcoin address each time it was run. This effectively neutralizes the ability to link Bitcoin transactions together in a meaningful way, which frustratingly protects the identity of the attackers. says it will remove StatCounter from its website altogether. It also urged users to enable two-factor authentication and two-step login protection.

Published November 7, 2018 — 11:16 UTC