- Ethereum core developer Zak Cole had his hot wallet drained after installing a malicious AI coding extension that stole his private key.
- The fake plugin, “contractshark.solidity-lang,” appeared legitimate with 54K downloads but secretly exfiltrated keys to an attacker’s server.
- The incident underscores the growing threat of sophisticated wallet drainers targeting both crypto investors and developers.
Even the most seasoned builders aren’t immune to slick, malicious code. Ethereum core developer Zak Cole learned that the hard way last week after installing what looked like a legitimate AI coding extension — only to discover it was a wallet drainer in disguise. The tool, “contractshark.solidity-lang,” came dressed up with a professional logo, polished copy, and over 54,000 downloads, but hidden under the veneer was a script that quietly stole his private key.
How the Attack Played Out
Cole said the plugin accessed his .env file, grabbed the key, and sent it to a remote server controlled by the attacker. For three days, the exploiter had open access to one of his hot wallets, eventually draining the funds on Sunday. Fortunately, the damage was limited — just a few hundred dollars worth of ETH — because Cole isolates small testing wallets from his primary holdings, which are kept on hardware devices. “In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” he wrote, underscoring how speed and convenience can cloud even an expert’s guard.
A Growing Threat in Crypto Development
Wallet drainers aren’t new, but they’re evolving. By blending into trusted development ecosystems and using polished branding, these malicious tools are catching even the most security-conscious users off guard. This wasn’t a clumsy phishing link — it was a stealthy supply chain compromise that lived inside an everyday coding workflow. And it’s far from an isolated case.
The Bigger Picture
Last year, a fake WalletConnect Protocol app lingered on Google Play for over five months before being removed — during which time it siphoned more than $70,000 in digital assets from unsuspecting users. The message for developers and investors alike is clear: every install, every extension, every dependency carries risk. In crypto, the most dangerous exploit might be the one you willingly invite into your own tools.
