UPDATED: Have Ethereum Devs Been Tricked by Scammers’ Malicious Code? What We Know

Scammers are targeting Ethereum projects with a fake extension for developers.

by . Fact checked by: Ciaran Lawler, Editor: Stefan Trapp
Published:
Ethereum logo burning in an alien landscape.
Created by Gabor Kovacs from DailyCoin
Google News Follow Button
  • Scammers are targeting Ethereum developers.
  • The ploy could put multiple projects at risk.
  • Extension-based exploits are nothing new in the crypto space. 

As with any young industry of significant value, the crypto industry is rife with bad actors seeking to take a share of the value for themselves at the expense of others. Over the years, these bad actors have employed a wide range of tactics, from complex social engineering schemes to simple honey pots, making it necessary for industry participants to always be on the alert.

In the latest instance, these bad actors appear to be taking a unique approach to targeting crypto projects with a malicious extension.

A Wild VS Code Extension Appears

Scammers are targeting Ethereum projects with a fake extension for developers. Crypto trader “Sagey” was the first to raise the alarm about the ploy on Wednesday, October 2. Sagey warned that scammers had launched a potentially malicious Solidity Microsoft VS Code extension called “Solidity for Ethereum Language.” 

Sponsored

Sagey speculated that the extension could compromise projects unsuspecting developers are working on, leading to user losses.

Lead Yearn Finance developer “banteg” confirmed Sagey’s suspicions, asserting that the extension is rigged to download malicious code immediately after it is activated, though the code itself is heavily obfuscated.

Following up on the situation, Boring Security Researcher “Fantasy” was able to clean up the code and discovered that it contained an “info stealer” and ransomware.

Developers Already Tricked?

The app, purporting to be from the Ethereum Foundation, claims to have over 1.7 million downloads and a five-star rating after only being published in the past 24 hours. While banteg has suggested that these downloads are likely from bots, at least one developer has nearly been done in by the exploit. 

Research lead at growthepie.xyz Lorenz Lehmann reported that he had installed the software but was saved by the fact that he was not running on Windows OS. Through his own investigation, Lehmann discovered that the malicious payload originated from a Russian server.

At the time of writing, it remains unclear if any developers or DApps have been affectedโ€”banteg called on developers who may have downloaded the extension to delete and report it.

Who Is At Risk?

According to banteg, the malicious VS Code extension only appears to be currently targeting Windows users, confirming Lehmann’s experience. It is not immediately clear if the developers have also launched similar extensions targeting other ecosystems and operating systems.

However, as highlighted by Sagey, it only takes a minor oversight to potentially compromise an entire project.

“you only need 1 dev without coffee for it to ruin a project and its users,” the trader wrote.

How To Stay Safe

Extension-based exploits are nothing new in the crypto space. While the recent exploit primarily targets developers, there have been incidents where users have been targeted directly. In June 2024, a Binance user revealed they had lost $1 million to a malicious Chrome extension called “Aggr.”

Extension-based exploits are emerging as a vector for exploits as they are typically not manually verified for malware. While users can verify the extension code manually, it usually requires significant expertise and time. Still, there are measures everyday users can take to minimize the chances of falling victim to these types of scams. See some tips below:

  • Only download extensions from well-known publishers with large user communities.
  • Review permissions to ensure extensions do not request data unrelated to their function.
  • Be cautious of new and unverified extensions.
  • Consider using a reputable malware scanner.

On the Flipside 

  • There is no evidence to suggest that any DApps have been affected by the malicious extension.

Why This Matters

The malicious extension could put several DApps and millions of dollars in investor assets at risk.

Read this for more on Ethereum:
Ethereum Staking Yield to Drive ETH Price Recovery: FalconX

Find out why Uptober is not off to a great start:
Here’s Why Bitcoinโ€™s Uptober Is Already Off the Rails

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Tags
Author
Okoya David
Okoya David

David Okoya is a journalist at DailyCoin covering DeFi ecosystems and exchanges. David has moderate holdings in Bitcoin, and minor holdings in LINK, DOT, INJ, and memecoins.

Read more