Old-school web traffic analysis tool provider Statcounter Inc. has been hacked, exposing users of the service to malicious code that attempts to steal bitcoin.

Statcounter, established in 1999, offers a visitor tracking service that involves users installing JavaScript code on their websites to track visitors. The use of JavaScript is where both Statcounter and its users were exposed to malicious code.

According to researchers at Eset spol s.r.o,  those behind the attack modified the script at www.statcounter[.]com/counter/counter.js by adding a piece of malicious code in the middle of the script. The fact that the code was inserted in the middle is unusual, researchers said, because “attackers generally add malicious code at the beginning, or at the end, of a legitimate file. Code injected into the middle of an existing script is typically harder to detect via casual observation.”

The malicious code was first inserted Nov. 3 and is possibly still live. In a strange twist, the code only targets users of a cryptocurrency site called Gate.io and hijacks cryptocurrency wallets with the intent of stealing bitcoin.

“Even if we do not know how many bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange,” the researchers note. “To achieve this they compromised an analytics service’s website, used by more than 2 million other websites, including several government-related websites, to steal bitcoin from customers of just one cryptocurrency exchange website.”

Image: Statcounter