Zak Cole from Ethereum’s core developers team suffered a wallet draining hack. A malicious extension for AI code editor Cursor.ai led to this attack, Cole claimed on August 12. While he did not disclose the exact amount of funds he lost in the attack, Cole did disclose elaborate details on how the hack was executed — in an attempt to spread awareness to others from the crypto community.
Breakdown of the hack
The malicious extension called the “contractshark.solidity-lang” allowed the hacker to control his hot wallet. For three days, the attacker maintained controlled of this web-connected wallet before eventually draining the funds.
Justifying his interaction with the infected extension, Cole said that its logo and descriptive copy made it appear legitimate. He added that the extension showed over 54,000 downloads.
“I’m obsessive about security. Hardware wallets, segregated hot wallets, unique passwords, 2FA everything. In 10+ years, I have never lost a single wei to hackers. Then I rushed to ship a contract last week,” Cole said, advising others to avoid haste while working with hot wallets.
The software engineer revealed that the extension “silently” read his “.env file” where his private key was stored — exposing the password to the hacker.
“Only lost a few hundred $ in ETH because I follow strict practices,” Cole said. He highlighted that he only maintains small balances on his hot wallets, which he mainly uses for testing purposes. He also told his followers that he stores his main funds in hardware wallets. “Without these practices, I’d be posting a very different thread,” Cole noted.
Identifying the hack
After he received a “wallet drained notification”, Cole checked his installation records and after more digging, he identified the malicious extension to be part of a theft campaign that has already been used to steal over $500,000.
Cole did mention a list of red flags that he missed that led to the success of the attack. He said that he could not find a GitHub repository linked to the extension. While the extension showed high download volumes, it did not show any reviews and its publish date was fairly recent, dated to July 2025.
“Never: Store private keys in .env files, trust download counts alone, install extensions while rushing, use hot wallets for anything valuable. Always: verify publisher carefully, check GitHub repo, and use hardware wallets,” he advised.
Cole is a Web3 developer, protocol engineer, and software entrepreneur, as per Crunchbase. He has not clarified if the attacker has been identified as yet.