On November 3, 2018, attackers compromised the StatCounter web analytics platform — used by hundreds of thousands of websites worldwide — and modified the StatCounter JavaScript tracking script (counter.js) to include a malicious payload specifically designed to steal Bitcoin from users of the cryptocurrency exchange Gate.io.

The attack was discovered and publicly disclosed by ESET researchers on November 6, 2018, and immediately reported to both StatCounter and Gate.io. This was a highly targeted supply chain attack: while the modified StatCounter script would execute on every website using the service, the malicious payload only activated on pages containing a specific URI string — myaccount/withdraw/BTC — which is unique to Gate.io’s Bitcoin withdrawal page. This URL-specific trigger meant the malicious code was dormant on the vast majority of sites it was loaded on, activating exclusively when a Gate.io user initiated a Bitcoin withdrawal.

The attack mechanism was elegant and effective: when a Gate.io user navigated to the Bitcoin withdrawal page, the malicious script intercepted the transaction and silently replaced the user’s intended destination Bitcoin address with an address controlled by the attackers. The victim would see no indication of tampering. The replacement address was dynamically generated on each page load, fetched from a domain controlled by the attackers — statconuter[.]com — a typosquat of the legitimate StatCounter domain designed to blend into network traffic logs.

The malicious code was injected into the middle of the legitimate StatCounter script rather than appended at the beginning or end — an unusual placement that made detection harder for analysts scanning scripts for appended malicious content.

The exact amount of Bitcoin stolen from Gate.io users was not publicly disclosed. Gate.io immediately removed the StatCounter script from its website upon being notified. StatCounter confirmed the compromise and took steps to remove the malicious code.

The incident was a significant early demonstration of the JavaScript supply chain attack model that would go on to become a major threat vector: by compromising a single widely-deployed third-party script, attackers could reach users of thousands of downstream websites simultaneously, with highly targeted payload logic that minimized detection risk.