Not even the most experienced crypto builders are safe from the latest wave of sophisticated scams.
On Tuesday, Ethereum core developer Zak Cole shared on X that he had fallen victim to a malicious AI-based code assistant that drained funds from his hot wallet. The culprit? A Cursor AI extension disguised as a legitimate Solidity development tool.
The Trap That Looked Legit
The extension, named “contractshark.solidity-lang”, appeared professional, complete with a sleek icon, detailed description, and over 54,000 downloads. But beneath the surface, it was a carefully engineered trap.
Once installed, the extension silently read Cole’s .env file, extracted his private key, and transmitted it to an attacker’s server. The attacker then had three days of unrestricted access to Cole’s hot wallet before finally draining it on Sunday.
“In 10+ years, I have never lost a single wei to hackers,” Cole admitted. “Then I rushed to ship a contract last week.” Fortunately, he only lost a few hundred dollars in Ether thanks to his security practice of keeping hot wallets small and isolated for project testing, with primary holdings stored securely on hardware wallets.
A Rising Threat for Crypto Developers
Security experts warn this is not an isolated incident. Hakan Unal, senior security operations lead at Cyvers, described malicious extensions as a “major attack vector” for crypto builders.
These attacks often use:
- Fake publishers
- Typosquatting (slightly misspelled package names)
- Hidden key-stealing code
Unal advises developers to vet every extension, avoid storing sensitive keys in plain text, use hardware wallets, and work in isolated environments.
Wallet Drainers: Now Available for Rent
The threat is growing not just in complexity but accessibility. According to an AMLBot report published in April, wallet drainer malware is now offered as software-as-a-service, with criminals renting them for as little as $100 in USDT.
These tools have already caused significant damage:
- In September 2024, a fake WalletConnect app on Google Play ran for over five months, stealing more than $70,000 in crypto.
- Many fake app reviews mentioned irrelevant features—likely meant to fool unsuspecting users.
With scams becoming polished, professional, and cheap to deploy, experts say the risk to developers and investors alike has never been higher.
