Ethereum core dev Zak Cole lost funds after a malicious Cursor extension stole his private key, highlighting rising wallet drainer attacks on builders.
A core Ethereum developer said he was hit by a cryptocurrency wallet drainer linked to a rogue code assistant, underscoring how even seasoned builders can be caught by increasingly polished scams.
Core Ethereum developer Zak Cole fell victim to a malicious artificial intelligence extension from Cursor AI, which enabled the attacker to access his hot wallet for three days before draining the funds, he said in a Tuesday X post.
The developer installed the “contractshark.solidity-lang” that appeared legitimate — with a professional icon, descriptive copy and more than 54,000 downloads — but silently exfiltrated his private key. The plugin “read my .env file” and sent the key to an attacker’s server, giving access to his hot wallet for three days before funds were drained on Aug. 10, he said.
“In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, adding that the loss was limited to a “few hundred” dollars in Ether (ETH) because he uses small, project-segregated hot wallets for testing and keeps primary holdings on hardware devices.
Wallet drainers — malware designed to steal digital assets — are becoming a growing threat to cryptocurrency investors.
Related: Colorado pastor and wife indicted in $3.4M crypto scam
In September 2024, a wallet drainer disguised as the WalletConnect Protocol stole over $70,000 worth of digital assets from investors after being live on the Google Play store for over five months.
Malicious VS Code and extensions are becoming a “major attack vector, using fake publishers and typosquatting to steal private keys,” according to Hakan Unal, senior security operations lead at blockchain security firm Cyvers.
“Builders should vet extensions, avoid storing secrets in plain text or .env file, use hardware wallets, and develop in isolated environments.”
Meanwhile, crypto drainers are becoming even more accessible for scammers.
Related: Lazarus Group laundered over $200M in hacked crypto since 2020
An April 22 report from crypto forensics and compliance firm AMLBot revealed that these drainers are sold as a software-as-a-service model, enabling scammers to rent this software for as little as $100 USDt (USDT), Cointelegraph reported.
