Ethereum Core Developer Falls Victim to Malicious AI Wallet Drainer

Even veteran blockchain builders aren’t immune to today’s sophisticated scams, and one core Ethereum developer just learned that the hard way.

• Ethereum core dev Zak Cole lost funds to a malicious Cursor AI extension that stole his private key.
• The fake extension, “contractshark.solidity-lang,” had over 54,000 downloads and appeared highly legitimate.
• Attacker accessed Cole’s hot wallet for three days before draining a few hundred dollars in ETH.
• Malicious extensions and typosquatting are becoming a major attack vector for crypto builders.
• Wallet drainer tools are now sold as SaaS, making them cheap and accessible to scammers.
  

Core Ethereum developer Zak Cole revealed he lost funds to a malicious AI-powered code assistant – a reminder that even experienced builders can be caught off guard. In an X post, Cole explained that the attack came through a rogue Cursor AI extension called “contractshark.solidity-lang.” The plugin looked completely legitimate, complete with a professional icon, detailed description, and over 54,000 downloads.

Unbeknownst to him, the extension was silently reading his .env file, extracting his private key, and sending it to an attacker’s server. The attacker then had full access to his hot wallet for three days, eventually draining a few hundred dollars in ETH on Sunday. Cole noted that his losses were minimal because he uses small, project-specific hot wallets for testing and stores his primary holdings in hardware wallets.

The incident highlights a broader and growing threat in the crypto space – wallet drainers. These malicious tools are designed to steal digital assets and have been responsible for large-scale thefts. In September 2024, a fake WalletConnect app on the Google Play store stayed live for over five months, stealing more than $70,000 in crypto.

Security experts like Hakan Unal of Cyvers warn that malicious Visual Studio Code and similar extensions are now a “major attack vector,” using fake publishers and typosquatting to trick developers. Best practices include vetting extensions carefully, avoiding storing secrets in plain text, relying on hardware wallets, and developing in isolated environments.

Adding to the problem, wallet drainer kits are becoming easier to access. According to AMLBot, these tools are being offered under a software-as-a-service model, with some available for rent for as little as $100 USDT – putting powerful theft tools into the hands of even low-level scammers.

Final Thought

This case proves that no one in crypto – not even core developers – is immune to scams. With malicious extensions and cheap wallet drainer tools on the rise, strong operational security and cautious development practices are no longer optional, they’re essential.