.jpg?w=696&resize=696,0&ssl=1 "AI Crypto Heist")
Cybercriminals have successfully orchestrated a sophisticated attack targeting blockchain developers, stealing $500,000 in cryptocurrency from a Russian developer through a malicious code extension designed for AI-powered development environments.
This incident highlights the growing threat of weaponized open-source packages in the cryptocurrency ecosystem.
The Sophisticated Deception
In June 2025, a Russian blockchain developer fell victim to an elaborate cyberattack despite taking security precautions on a freshly installed system.
The attack vector was a malicious Solidity Language extension for Cursor AI IDE, an AI-assisted development platform based on Visual Studio Code.
The fake extension, masquerading as a legitimate syntax highlighter for smart contract development, had accumulated 54,000 downloads from the Open VSX registry.
Security researchers discovered that the malicious extension contained no actual functionality for syntax highlighting or smart contract development. Instead, it executed a PowerShell script from the server angelic[.]su, which initiated a complex infection chain.
The attackers had cleverly copied the description from a legitimate extension with 61,000 downloads, making their fake version appear credible to unsuspecting developers.
The malicious extension ranked fourth in search results for “solidity,” while the legitimate version appeared eighth.
This positioning advantage occurred due to the registry’s ranking algorithm, which considers multiple factors including recency of updates, downloads, and ratings.
The fake extension’s June 15, 2025 update date gave it a relevance boost over the legitimate version’s May 30, 2025 update.
Multi-Stage Attack Infrastructure
Once installed, the malicious extension triggered a sophisticated attack chain. The initial PowerShell script checked for ScreenConnect remote management software and, if absent, downloaded and installed it from lmfao[.]su.
This established persistent remote access to the victim’s machine through the command-and-control server relay.lmfao[.]su.
The attackers then deployed three VBScripts (a.vbs, b.vbs, and m.vbs) that downloaded obfuscated PowerShell scripts from paste.ee.
These scripts retrieved images from archive.org containing the VMDetector loader, previously observed in Latin American phishing campaigns.
The final payloads included the Quasar open-source backdoor and a specialized stealer targeting browsers, email clients, and cryptocurrency wallets.
Expanding Campaign
The threat actors didn’t limit their activities to a single malicious package. After the original extension was removed on July 2, 2025, they published a new version named “solidity” with an inflated download count of two million.
They also deployed similar attacks through Visual Studio Code extensions (solaibot, among-eth, blankebesxstnion) and an npm package called “solsafe.”
This campaign demonstrates how attackers exploit the trust developers place in open-source repositories.
The use of typosquatting techniques, such as replacing the letter “l” with “I” in developer names (juanblanco vs juanbIanco), further compounds the deception potential in development environments where font rendering makes such distinctions nearly invisible.
.jpg?resize=1600,900&ssl=1&description=AI Crypto Heist - Cybercriminals have successfully orchestrated a sophisticated attack targeting blockchain developers, stealing $500,000){kind=link}