Security Researchers Discover Malicious Code To Steal Bitcoin From Gate.io Users
Cybersecurity experts from ESET reported a supply-chain attack on the Gate.io cryptocurrency exchange on November 3, 2018.
The attacking software searched through websites using the StatCounter service to find the one containing myaccount/withdraw/BTC URI in its code.
When the code locates such a page, it triggers its intended function, and that is to exchange the BTC address that funds are being withdrawn to with attackers, making a user conducting a withdrawal involuntarily transfer Bitcoin to the attacker’s address.
The switch happens only after a user submits their withdraw order and therefore is almost impossible to see in real-time.
ESET’s Matthieu Faou explained that a different Bitcoin address is generated each time a user tries to withdraw BTC from the infected exchange and thus, they were not able to locate the main Bitcoin address used by the attacker to store stolen funds.
The potential for a grand-scale robbery
Gate.io is by no means a minor exchange. It is, in fact, a member of a top 50 world’s cryptocurrency exchanges with a daily volume of $52,262,903 across 349 active markets, of which $1.6 million in various Bitcoin transactions.
Successful code implementation on one such trading platform provided more than enough potential for a grand-scale robbery to a would-be attacker.
Fortunately, Gate.io was instantly informed about the breach, and have immediately ceased using StatCounter services.
On November 8, 2018, both StatCounter and Gate.io reported that they have cleared their code of the malicious software, and are continuing to operate safely.
No Bitcoin stolen
However dangerous, subtle and effective one such attack may be, Gate.io claims that they haven’t received any users’ reports of the funds being stolen. This kind of hacker’s attack is a novelty in the world of cryptocurrencies.
It doesn’t use brute force to penetrate the security system and physically steal cryptocurrencies. Instead, this cleverly envisioned system uses a detour, which makes it harder to reveal such a scheme.
Infecting a web analytics services used by many of other websites just to reach a specific target can be called ingenious.
Generating a new Bitcoin address for every transaction in order to hide the original address the stolen funds are being stored in is another brilliant solution to avoid detection. All this brilliance points out at all the vulnerabilities of systems depending on some third-party service.
This case shows that however secure a centralized trading platform may appear to be, and no matter how often the development team updates its protection, it is still dependable on others’ technology.
And just like evil geniuses in the movies, these hackers are always ready to use these weaknesses in the most subtle and effective way. This time, thanks to other brilliant minds, a catastrophe was prevented.