Attackers compromised StatCounter's web analytics script and used the trusted counter.js inclusion to target Gate.io's Bitcoin withdrawal page. The injected JavaScript checked for the /myaccount/withdraw/BTC URI, loaded a second-stage script from the lookalike statconuter.com domain, then replaced the victim's withdrawal address with attacker-controlled Bitcoin addresses such as 1JrFLmGVk1ho1UcMPq1WYirHptcCYr2jad. ESET assessed Gate.io as the main target because that URI matched its withdrawal flow, making the incident a supply chain attack against a cryptocurrency exchange rather than a broad website compromise. StatCounter removed the malicious script and Gate.io stopped using the analytics service on November 6, 2018, but the report could not determine how much bitcoin was stolen.