A core Ethereum developer said he was hit by a cryptocurrency wallet drainer linked to a rogue code assistant, underscoring how even seasoned builders can be caught by increasingly polished scams.
Core Ethereum developer Zak Cole fell victim to a malicious artificial intelligence extension from Cursor AI, which enabled the attacker to access his hot wallet for three days before draining the funds, he said in a Tuesday X post.
The developer installed the “contractshark.solidity-lang” that appeared legitimate — with a professional icon, descriptive copy and more than 54,000 downloads — but silently exfiltrated his private key. The plugin “read my .env file” and sent the key to an attacker’s server, giving access to his hot wallet for three days before funds were drained on Aug. 10, he said.
“In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, adding that the loss was limited to a “few hundred” dollars in Ether (ETH) because he uses small, project-segregated hot wallets for testing and keeps primary holdings on hardware devices.
Source:Zak.ethWallet drainers — malware designed to steal digital assets — are becoming a growing threat to cryptocurrency investors.
Related:Colorado pastor and wife indicted in $3.4M crypto scam
In September 2024, a wallet drainer disguised as the WalletConnect Protocol stole over $70,000 worth of digital assets from investors after being live on the Google Play store for over five months.
Some of the fake reviews on the spoofed WalletConnect app mentioned features that had nothing to do with crypto. Source: Check Point Research## Extensions are becoming a ‘major attack vector’ for crypto builders
Malicious VS Code and extensions are becoming a “major attack vector, using fake publishers and typosquatting to steal private keys,” according to Hakan Unal, senior security operations lead at blockchain security firm Cyvers.
“Builders should vet extensions, avoid storing secrets in plain text or .env file, use hardware wallets, and develop in isolated environments.”
Meanwhile, crypto drainers are becoming even more accessible for scammers.
Related:Lazarus Group laundered over $200M in hacked crypto since 2020
Crypto drainers report image. Source:AMLBotAn April 22 report from crypto forensics and compliance firm AMLBot revealed that these drainers are sold as a software-as-a-service model, enabling scammers to rent this software for as little as $100 USDt (USDT), Cointelegraph reported.
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
Ethereum core dev’s crypto wallet drained by malicious AI extension
A core Ethereum developer said he was hit by a cryptocurrency wallet drainer linked to a rogue code assistant, underscoring how even seasoned builders can be caught by increasingly polished scams.
Core Ethereum developer Zak Cole fell victim to a malicious artificial intelligence extension from Cursor AI, which enabled the attacker to access his hot wallet for three days before draining the funds, he said in a Tuesday X post.
The developer installed the “contractshark.solidity-lang” that appeared legitimate — with a professional icon, descriptive copy and more than 54,000 downloads — but silently exfiltrated his private key. The plugin “read my .env file” and sent the key to an attacker’s server, giving access to his hot wallet for three days before funds were drained on Aug. 10, he said.
“In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, adding that the loss was limited to a “few hundred” dollars in Ether (ETH) because he uses small, project-segregated hot wallets for testing and keeps primary holdings on hardware devices.
Related: Colorado pastor and wife indicted in $3.4M crypto scam
In September 2024, a wallet drainer disguised as the WalletConnect Protocol stole over $70,000 worth of digital assets from investors after being live on the Google Play store for over five months.
Malicious VS Code and extensions are becoming a “major attack vector, using fake publishers and typosquatting to steal private keys,” according to Hakan Unal, senior security operations lead at blockchain security firm Cyvers.
Meanwhile, crypto drainers are becoming even more accessible for scammers.
Related: Lazarus Group laundered over $200M in hacked crypto since 2020
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users