Ethereum Core Developer Loses Funds to Malicious AI Code Assistant

nihalsari

Even experienced blockchain developers are not immune to sophisticated scams. Core Ethereum developer Zak Cole revealed on X that he fell victim to a cryptocurrency wallet drainer embedded in a rogue AI code assistant.

The malicious extension, “contractshark.solidity-lang”, appeared legitimate—with a professional icon, descriptive text, and over 54,000 downloads—but secretly exfiltrated his private key. According to Cole, it accessed his .env file and sent the key to an attacker’s server, allowing them to control his hot wallet for three days before draining the funds on Sunday.

“In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, adding that the loss was limited to “a few hundred” dollars in Ether thanks to his practice of using small, project-specific hot wallets and storing primary holdings on hardware devices.

Wallet Drainers: A Growing Threat

Wallet drainers—malware designed to steal digital assets—are increasingly targeting both developers and investors. In September 2024, a fake WalletConnect app on Google Play operated for over five months before being taken down, stealing more than $70,000 in crypto. Some fake reviews for the app even described irrelevant, non-crypto features to appear legitimate.

Extensions as a New Attack Vector

Malicious VS Code extensions are emerging as a major attack vector, using fake publishers and typosquatting to capture sensitive data, said Hakan Unal, senior security operations lead at blockchain security firm Cyvers.

“Builders should vet extensions, avoid storing secrets in plain text or .env files, use hardware wallets, and develop in isolated environments,” Unal advised.

Meanwhile, wallet drainer tools are becoming easier for scammers to obtain and deploy, raising the stakes for security-minded crypto builders.

jacson4

<p dir="auto"><img src="/forum/assets/uploads/files/1755154420729-0198a321-dff1-7164-8f86-23edeee866cb.webp" alt="0198a321-dff1-7164-8f86-23edeee866cb.webp" class=" img-fluid img-markdown" /></p> <p dir="auto">Even experienced blockchain developers are not immune to sophisticated scams. Core Ethereum developer Zak Cole revealed on X that he fell victim to a cryptocurrency wallet drainer embedded in a rogue AI code assistant.</p> <p dir="auto">The malicious extension, “contractshark.solidity-lang”, appeared legitimate—with a professional icon, descriptive text, and over 54,000 downloads—but secretly exfiltrated his private key. According to Cole, it accessed his .env file and sent the key to an attacker’s server, allowing them to control his hot wallet for three days before draining the funds on Sunday.</p> <p dir="auto">“In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, adding that the loss was limited to “a few hundred” dollars in Ether thanks to his practice of using small, project-specific hot wallets and storing primary holdings on hardware devices.</p> <p dir="auto">Wallet Drainers: A Growing Threat</p> <p dir="auto">Wallet drainers—malware designed to steal digital assets—are increasingly targeting both developers and investors. In September 2024, a fake WalletConnect app on Google Play operated for over five months before being taken down, stealing more than $70,000 in crypto. Some fake reviews for the app even described irrelevant, non-crypto features to appear legitimate.</p> <p dir="auto">Extensions as a New Attack Vector</p> <p dir="auto">Malicious VS Code extensions are emerging as a major attack vector, using fake publishers and typosquatting to capture sensitive data, said Hakan Unal, senior security operations lead at blockchain security firm Cyvers.</p> <p dir="auto">“Builders should vet extensions, avoid storing secrets in plain text or .env files, use hardware wallets, and develop in isolated environments,” Unal advised.</p> <p dir="auto">Meanwhile, wallet drainer tools are becoming easier for scammers to obtain and deploy, raising the stakes for security-minded crypto builders.</p>

Nahid10

What’s scary here is the shift in attack surface. Phishing used to be mostly about emails and fake websites. Now, scammers are embedding malware into tools developers trust and use daily. VS Code extensions, npm packages, browser plugins — all are ripe for abuse because the target audience is already logged in, already has permissions, and often already has funds nearby. The fact that “contractshark.solidity-lang” had 54K+ downloads before being caught should be a wake-up call. This is the perfect time for extension marketplaces to introduce better publisher verification and automated code scans before approval.