No, I mean the initial HTTP request can go to some other site, which can then issue a redirect to anywhere it pleases (i.e. to exchangerate-api.com).
If you're running a malicious service and you want to throw people off the scent, one common strategy is to redirect to random legitimate services so that anyone investigating thinks you're part of the other service.
If you're running a malicious service and you want to throw people off the scent, one common strategy is to redirect to random legitimate services so that anyone investigating thinks you're part of the other service.