An Ethereum core developer has reported losing funds after installing a fraudulent AI coding extension that secretly harvested his private keys.
The tool, which appeared legitimate and had tens of thousands of downloads, accessed sensitive data from his .env file and sent it to an attacker’s server. His hot wallet was drained three days later.
The loss was limited to a few hundred dollars in Ethereum thanks to the use of small, project-specific wallets, with most holdings stored on hardware devices.
Security experts say fake extensions are becoming a major attack vector for crypto builders, using realistic branding and inflated download counts to gain trust.
A similar tactic was seen last year when a fake WalletConnect app on Google Play stole more than $70,000 in digital assets.
Cyvers’ security lead, Hakan Unal, warns developers to avoid storing keys in plain text, verify extensions before installing, and use hardware wallets to protect funds.
As AI-assisted tools grow in popularity, scammers are increasingly using them as entry points into the crypto ecosystem.
