{"id":26064,"date":"2025-08-13T17:32:06","date_gmt":"2025-08-13T14:32:06","guid":{"rendered":"https:\/\/forklog.com\/en\/ethereum-developer-falls-victim-to-malicious-ai-extension\/"},"modified":"2025-08-13T17:32:06","modified_gmt":"2025-08-13T14:32:06","slug":"ethereum-developer-falls-victim-to-malicious-ai-extension","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ethereum-developer-falls-victim-to-malicious-ai-extension\/","title":{"rendered":"Ethereum Developer Falls Victim to Malicious AI Extension"},"content":{"rendered":"<p>One of Ethereum&#8217;s key developers, Zak Cole, has fallen prey to a cryptocurrency drainer. The perpetrators stole the private key to his hot wallet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I&#8217;ve been in crypto for over 10 years and I\u2019ve Never been hacked. Perfect OpSec record.<\/p>\n<p>Yesterday, my wallet was drained by a malicious <a href=\"https:\/\/twitter.com\/cursor_ai?ref_src=twsrc%5Etfw\">@cursor_ai<\/a> extension for the first time.<\/p>\n<p>If it can happen to me, it can happen to you. Here\u2019s a full breakdown. \ud83e\uddf5\ud83d\udc47<\/p>\n<p>\u2014 zak.eth (@0xzak) <a href=\"https:\/\/twitter.com\/0xzak\/status\/1955265807807545763?ref_src=twsrc%5Etfw\">August 12, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;I&#8217;ve been in the crypto industry for over 10 years, and I&#8217;ve never been hacked. Perfect security reputation. However, yesterday my wallet was drained for the first time by a drainer in the form of the AI assistant Cursor,&#8221; he wrote.<\/p>\n<\/blockquote>\n<p>Cole installed the contractshark.solidity-lang extension, noticing nothing suspicious. It featured a professional icon design, a detailed description, and over 54,000 downloads.<\/p>\n<p>However, the plugin covertly copied the developer&#8217;s .env file, containing the private key, and sent it to the attackers&#8217; server. The hackers had access to Cole&#8217;s wallet for three days but only withdrew funds on August 10.<\/p>\n<p>According to the victim, the losses amounted to &#8220;a few hundred&#8221; dollars in ether. The majority of his funds are stored in hardware wallets.<\/p>\n<p>Cole noticed a notification about the transfer of funds. It was then he realized he had been hacked. After reviewing reports from Kaspersky Lab and other cybersecurity firms, the Ethereum developer discovered that the drainer was part of a campaign in which attackers had already stolen over $500,000.<\/p>\n<p>He also highlighted &#8220;red flags&#8221; he overlooked when installing the extension:<\/p>\n<ul class=\"wp-block-list\">\n<li>unofficial creator;<\/li>\n<li>lack of a GitHub link;<\/li>\n<li>high number of downloads and zero reviews;<\/li>\n<li>recent upload date \u2014 July 2025;<\/li>\n<li>imitation of a well-known extension&#8217;s name.<\/li>\n<\/ul>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Haste = ignoring instincts,&#8221; Cole emphasized.<\/p>\n<\/blockquote>\n<p>He advised users who have faced hacking to change all keys, check Etherscan for unauthorized transactions, revoke all permissions, create new wallets, and <a href=\"https:\/\/forklog.com\/en\/news\/how-to-report-crypto-fraud-structure-evidence-and-phrasing\">document the incident<\/a>.<\/p>\n<p>Back in May, hackers <a href=\"https:\/\/forklog.com\/en\/news\/hackers-develop-malicious-ledger-live-clone-for-macos\">created<\/a> a malicious clone of Ledger Live for macOS. The perpetrators replaced the official app with a fake one that collected seed phrases and drained wallets.<\/p>\n<p>In April, it was reported that operators of cryptocurrency theft software <a href=\"https:\/\/forklog.com\/en\/news\/cryptocurrency-theft-software-operators-turn-to-rental-model\">began<\/a> renting out their tools. Novice fraudsters receive a set of necessary tools for a one-time fee of $100-300.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of Ethereum&#8217;s key developers, Zak Cole, has fallen prey to a cryptocurrency drainer. The perpetrators stole the private key to his hot wallet. I&#8217;ve been in crypto for over 10 years and I\u2019ve Never been hacked. Perfect OpSec record. Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time. If [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":26063,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,46],"class_list":["post-26064","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-ethereum"],"aioseo_notices":[],"amp_enabled":true,"views":"133","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/26064","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=26064"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/26064\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/26063"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=26064"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=26064"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=26064"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}