An Ethereum core developer, Zak Cole, has reportedly fallen victim to a new kind of cryptocurrency scam involving malicious artificial intelligence software. The developer downloaded an extension from Cursor AI known as “contractshark.solidity-lang”, which seemed legitimate at the time, boasting over 54,000 downloads. Unknown to him, the extension was designed to silently extract his private key, giving attackers access to his hot wallet for three days before they drained the funds.
Zak Cole shared his experience on Tuesday, detailing how the malicious plugin had read his .env file and sent the key to the attacker’s server. He revealed that he hadn’t lost any funds to hackers in over a decade until he fell victim to this scam, losing a few hundred dollars worth of Ether. Cole, however, maintains separate hot wallets for testing and keeps most of his holdings on hardware devices, thereby minimizing his losses.
Digital wallet drainers, malware specifically engineered to steal digital assets, are gaining notoriety in the crypto world. In September 2024, a wallet drainer masquerading as the WalletConnect Protocol was discovered after having been live on the Google Play store for more than five months, robbing investors of more than $70,000 in digital assets.
Hakan Unal, the senior security operations lead at Cyvers, a blockchain security firm, mentioned that malicious VS Code and extensions have become “major attack vectors,” used for digital theft. He recommends meticulous vetting of extensions, avoiding plain text or .env files for storing secrets, use of hardware wallets and isolated environments to curb development-related attacks.
The rise of crypto drainers has been further fueled by the availability of such malware on a rent basis. A recent report from crypto forensics and compliance firm AMLBot revealed a software-as-a-service model for such drainers, which would-be attackers can lease for as low as $100, further lowering the bar for entry into the malicious activity.