According to Cointelegraph, a core Ethereum developer, Zak Cole, recently experienced a significant security breach when his cryptocurrency wallet was compromised by a rogue code assistant. This incident highlights the increasing sophistication of scams targeting even experienced developers in the cryptocurrency space.
Cole revealed in a post on X that he was targeted by a malicious artificial intelligence extension from Cursor AI. This extension, which appeared legitimate with a professional icon and over 54,000 downloads, was installed by Cole under the name “contractshark.solidity-lang.” Unbeknownst to him, the plugin exfiltrated his private key by reading his .env file and sending the information to an attacker’s server. This breach allowed the attacker to access Cole's hot wallet for three days, culminating in the draining of funds on August 10, 2025.
Despite the breach, Cole noted that his financial loss was limited to a few hundred dollars in Ether (ETH) due to his practice of using small, project-segregated hot wallets for testing purposes. He emphasized that his primary holdings remain secure on hardware devices. Cole's experience underscores the growing threat posed by wallet drainers, which are malware designed to steal digital assets from unsuspecting users.
The threat of wallet drainers is not new. In September 2024, a similar incident occurred when a wallet drainer disguised as the WalletConnect Protocol managed to steal over $70,000 worth of digital assets from investors. This malicious app had been available on the Google Play store for over five months before being discovered. Fake reviews on the app mentioned features unrelated to cryptocurrency, further misleading users.
Hakan Unal, senior security operations lead at blockchain security firm Cyvers, warns that malicious VS Code and extensions are becoming a major attack vector for crypto developers. These attacks often involve fake publishers and typosquatting to steal private keys. Unal advises developers to thoroughly vet extensions, avoid storing secrets in plain text or .env files, use hardware wallets, and develop in isolated environments to mitigate these risks.
The accessibility of crypto drainers is also a concern, as they are increasingly available to scammers. A report from April 2022 by crypto forensics and compliance firm AMLBot revealed that these drainers are being sold as a software-as-a-service model, allowing scammers to rent the software for as little as $100 USDT. This development poses a significant challenge to the security of digital assets in the cryptocurrency industry.
