StatCounter Hacked to Inject Malicious Script in Cryptocurrency Exchange

The web analytics platform StatCounter was compromised on November 3 by attackers who modified their global site-tracking script to steal Bitcoins from's withdrawal page as discovered by ESET's Matthieu Faou.

"The script targets a specific Uniform Resource Identifier (URI): myaccount/withdraw/BTC. It turns out that among the different cryptocurrency exchanges live at time of writing, only has a valid page with this URI," said Faou. "Thus, this exchange seems to be the main target of this attack."

Given that more than 2 million websites use StatCounter's website tracking platform and it monitors stats for roughly 10 billion pages every month, it's easy to understand why the actors behind the attack marked them as a target.

The hackers altered the platform's main tracking script available at www.statcounter[.]com/counter/counter.js by appendin... (read more)