Ethereum Core Dev’s Wallet Drained by Rogue AI Tool in Brazen Supply Chain Attack

Ethereum core developer Zak Cole had his hot wallet drained after installing a malicious AI coding extension that stole his private key.
The fake plugin, “contractshark.solidity-lang,” appeared legitimate with 54K downloads but secretly exfiltrated keys to an attacker’s server.
The incident underscores the growing threat of sophisticated wallet drainers targeting both crypto investors and developers.

Even the most seasoned builders aren’t immune to slick, malicious code. Ethereum core developer Zak Cole learned that the hard way last week after installing what looked like a legitimate AI coding extension — only to discover it was a wallet drainer in disguise. The tool, “contractshark.solidity-lang,” came dressed up with a professional logo, polished copy, and over 54,000 downloads, but hidden under the veneer was a script that quietly stole his private key.

3/ What ACTUALLY Happened:

Aug 7, 11:02 – Installed extension
Aug 7, 11:03 – Opened my project
Aug 7, 11:05 – Extension silently read my .env file
Aug 7, 11:06 – Sent my private key to attacker's server
Aug 10 – Wallet drained

3 days of access.
— zak.eth (@0xzak) August 12, 2025

How the Attack Played Out

Cole said the plugin accessed his .env file, grabbed the key, and sent it to a remote server controlled by the attacker. For three days, the exploiter had open access to one of his hot wallets, eventually draining the funds on Sunday. Fortunately, the damage was limited — just a few hundred dollars worth of ETH — because Cole isolates small testing wallets from his primary holdings, which are kept on hardware devices. “In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” he wrote, underscoring how speed and convenience can cloud even an expert’s guard.

A Growing Threat in Crypto Development

Wallet drainers aren’t new, but they’re evolving. By blending into trusted development ecosystems and using polished branding, these malicious tools are catching even the most security-conscious users off guard. This wasn’t a clumsy phishing link — it was a stealthy supply chain compromise that lived inside an everyday coding workflow. And it’s far from an isolated case.

The Bigger Picture

Last year, a fake WalletConnect Protocol app lingered on Google Play for over five months before being removed — during which time it siphoned more than $70,000 in digital assets from unsuspecting users. The message for developers and investors alike is clear: every install, every extension, every dependency carries risk. In crypto, the most dangerous exploit might be the one you willingly invite into your own tools.

Disclaimer: BlockNews provides independent reporting on crypto, blockchain, and digital finance. All content is for informational purposes only and does not constitute financial advice. Readers should do their own research before making investment decisions. Some articles may use AI tools to assist in drafting, but every piece is reviewed and edited by our editorial team of experienced crypto writers and analysts before publication.

Tags: crypto eth Finance opinion