The firm's Matthieu Faou said gate.io was a popular exchange, with millions of dollars, including US$1.6 million in bitcoin, being transacted every day.
Statcounter has more than two million members and calculates Web statistics on more than 10 billion page views each month. Its Alexa ranking is a little above 5000.
The inserted code had the effect of creating a Web page that would transfer bitcoin from a gate.io account to an external bitcoin address.
The redirection of the withdrawal was probably not noticeable by victims, as it happened after they clicked on the submit button, he pointed out.
"Even if we do not know how many bitcoins have been stolen during this attack, it shows how far attackers go to target one specific website, in particular a cryptocurrency exchange," Faou said.
"To achieve this they compromised an analytics service’s website, used by more than two million other websites, including several government-related websites, to steal bitcoin from customers of just one cryptocurrency exchange website."
And, he added, "It also shows that even if your website is updated and well protected, it is still vulnerable to the weakest link, which in this case was an external resource.
"We're investigating currently. We'll let you know when we have more details."