A core Ethereum developer said he was hit by a cryptocurrency wallet drainer linked to a rogue code assistant, underscoring how even seasoned builders can be caught by increasingly polished scams.

Core Ethereum developer Zak Cole fell victim to a malicious artificial intelligence extension from Cursor AI, which enabled the attacker to access his hot wallet for three days before draining the funds, he said in a Tuesday X post.

The developer installed the “contractshark.solidity-lang” that appeared legitimate with a professional icon, descriptive copy and more than 54,000 downloads, but it silently exfiltrated his private key. The plugin “read my .env file” and sent the key to an attacker’s server, giving access to a hot wallet for three days before funds were drained on Sunday, he said.

“In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, adding that the loss was limited to a “few hundred” dollars in Ether (ETH) because he uses small, project-segregated hot wallets for testing and keeps primary holdings on hardware devices.

Wallet drainers — malware designed to steal digital assets — are becoming a growing threat to cryptocurrency investors.

Related: Colorado pastor and wife indicted in $3.4M crypto scam

In September 2024, a wallet drainer disguised as the WalletConnect Protocol stole over $70,000 worth of digital assets from investors after being live on the Google Play store for over five months.

Extensions are becoming a ‘major attack vector’ for crypto builders

Malicious VS Code and extensions are becoming a “major attack vector, using fake publishers and typosquatting to steal private keys,” according to Hakan Unal, senior security operations lead at blockchain security firm Cyvers.

“Builders should vet extensions, avoid storing secrets in plain text or .env file, use hardware wallets, and develop in isolated environments.”

Meanwhile, crypto drainers are becoming even more accessible for scammers.

Related: Lazarus Group laundered over $200M in hacked crypto since 2020

An April 22 report from crypto forensics and compliance firm AMLBot revealed that these drainers are sold as a software-as-a-service model, enabling scammers to rent them for as little as $100 USDt (USDT), Cointelegraph reported.

Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users