Ethereum Developer Falls Victim to Malicious AI Extension

One of Ethereum’s key developers, Zak Cole, has fallen prey to a cryptocurrency drainer. The perpetrators stole the private key to his hot wallet.

I’ve been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record.

Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time.

If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇

— zak.eth (@0xzak) August 12, 2025

“I’ve been in the crypto industry for over 10 years, and I’ve never been hacked. Perfect security reputation. However, yesterday my wallet was drained for the first time by a drainer in the form of the AI assistant Cursor,” he wrote.

Cole installed the contractshark.solidity-lang extension, noticing nothing suspicious. It featured a professional icon design, a detailed description, and over 54,000 downloads.

However, the plugin covertly copied the developer’s .env file, containing the private key, and sent it to the attackers’ server. The hackers had access to Cole’s wallet for three days but only withdrew funds on August 10.

According to the victim, the losses amounted to “a few hundred” dollars in ether. The majority of his funds are stored in hardware wallets.

Cole noticed a notification about the transfer of funds. It was then he realized he had been hacked. After reviewing reports from Kaspersky Lab and other cybersecurity firms, the Ethereum developer discovered that the drainer was part of a campaign in which attackers had already stolen over $500,000.

He also highlighted “red flags” he overlooked when installing the extension:

• unofficial creator;
• lack of a GitHub link;
• high number of downloads and zero reviews;
• recent upload date — July 2025;
• imitation of a well-known extension’s name.

“Haste = ignoring instincts,” Cole emphasized.

He advised users who have faced hacking to change all keys, check Etherscan for unauthorized transactions, revoke all permissions, create new wallets, and document the incident.

Back in May, hackers created a malicious clone of Ledger Live for macOS. The perpetrators replaced the official app with a fake one that collected seed phrases and drained wallets.

In April, it was reported that operators of cryptocurrency theft software began renting out their tools. Novice fraudsters receive a set of necessary tools for a one-time fee of $100-300.