Ethereum News Today: Ethereum Dev Loses Funds to Rogue AI Extension Scam

Generated by AI AgentCoin World
Wednesday, Aug 13, 2025 8:28 am ET1min read
ETH
--
USDT
--
ZRX
--
Aime RobotAime Summary

- Ethereum core developer Zak Cole lost funds after a rogue AI extension "contractshark.solidity" stole his private key via `.env` file exfiltration, highlighting a growing threat to crypto professionals.

- Malicious VS Code/browser extensions, often using fake publishers and typosquatting, are now major attack vectors, with some wallet-draining tools sold as $100 "software-as-a-service" (AMLBot).

- Similar attacks include a 2024 WalletConnect Protocol scam stealing $70,000 and fake reviews mimicking legitimate feedback, underscoring the need for hardware wallets and secure development practices.

- Security experts warn attackers leverage AI and SaaS models to refine tactics, urging users to avoid plaintext secrets and vet third-party extensions to combat this evolving threat.

A core

Ethereum
developer, Zak Cole, became the latest victim of a sophisticated crypto wallet-draining scam linked to a rogue artificial intelligence (AI) extension. In a post on X, Cole revealed that the extension, titled “contractshark.solidity-lang,” appeared legitimate with a professional icon and had over 54,000 downloads. However, it secretly exfiltrated his private key by reading his `.env` file and transmitting the data to an attacker’s server. This allowed unauthorized access to his hot wallet for three days before the funds were drained on August 10 [1].

Cole emphasized that despite more than a decade of experience, he had never lost funds to a hack until this incident, which occurred while he was rushing to deploy a smart contract. He noted the loss was relatively small—around “a few hundred dollars in Ether”—due to his security practice of using isolated, small hot wallets for testing, while keeping the majority of his holdings in hardware wallets [1].

The attack highlights the growing threat of wallet drainers—malware specifically designed to steal digital assets—targeting not just retail investors but also experienced blockchain developers. These malicious extensions are increasingly exploiting the trust users place in widely used platforms like VS Code and browser extensions. Hakan Unal, senior security operations lead at Cyvers, described such malicious VS Code and browser extensions as a “major attack vector,” often using tactics like fake publishers and typosquatting to mislead users [2].

This incident follows a similar breach in September 2024, when a malicious app disguised as the WalletConnect Protocol appeared on the Google Play Store for over five months, stealing over $70,000 worth of cryptocurrency from investors [3]. Fake reviews on the app’s page even included irrelevant features, suggesting the attackers were attempting to mimic legitimate user feedback.

The ease with which such scams are being executed is alarming. AMLBot reported in April that wallet drainers are now sold as a “software-as-a-service” model, with scammers able to rent access to the tools for as little as $100

USDt
[4]. This commodification of cybercrime lowers the barrier to entry, enabling even less technically proficient criminals to exploit the crypto ecosystem.

Security experts stress the importance of vetting third-party extensions, avoiding the storage of secrets in plain text or `.env` files, and using hardware wallets and isolated development environments [2]. As the incident involving Zak Cole demonstrates, even experts are not immune to these evolving threats. The crypto community must remain vigilant as attackers continue to refine their methods, leveraging AI and software-as-a-service models to make wallet-draining attacks more accessible and harder to detect.

Source:

[1] title: Core Ethereum Devs Crypto Wallet Drained AI Extension (url: https://cointelegraph.com/news/core-ethereum-devs-crypto-wallet-drained-ai-extension)

[2] title: 0xaudron (url: https://x.com/0xaudron)

[3] title: Today's Top Cryptocrime News Stories (url: https://cybersecurityventures.com/cryptocrime/)