Keep your cryptocurrency wallet keys out of .env files

Few secrets hold more financial value than the keys associated with cryptocurrency wallets. If a criminal obtains your private key, they have everything required to drain the associated account.

Unfortunately, wallet hijacking is nothing new. However, criminals are finding new and imaginative ways to obtain people’s keys. Zak Cole, a Web3 engineer and the founder of Number Group, recently lost funds after downloading a malicious extension for his code editor.

In this article, you’ll learn:

• How an attacker infiltrated Cole’s machine and stole his private key.
• Why malicious IDE extensions are so effective.
• What you can do to protect your keys and avoid scam extensions.

How Cole’s private key was stolen

Cole is “obsessive” about security and owns a combination of cold (i.e., hardware-based) and hot (i.e., software-based) crypto wallets. Using both wallet types is a common way to conveniently trade smaller amounts while maximizing the protection around long-term holdings.

“I've been doing this for a while, so I have pretty good habits,” he said.

The developer uses a code editor that offers extensions via Open VSX, an open-source alternative to Microsoft’s Visual Studio Marketplace.

Cole was storing a private wallet key in a .env file so he could deploy smart contracts on the Ethereum network. One Friday night, the developer wanted to make a trade when he noticed his Solidity file didn’t have syntax highlighting. To solve the issue, he downloaded a seemingly innocent extension that had all the indicators of authenticity: a nice logo, a well-written description, and, most persuasively, it had been downloaded tens of thousands of times previously.

Unfortunately, it was a malicious piece of software. The bad extension immediately read the .env file on Cole’s machine and sent the plaintext private key to its creator. Over the weekend, the attacker used the private key to steal “a few hundred dollars in Ethereum.” 

Cole didn’t realize until he tried to deploy a new smart contract with the same key. “I looked deeper into the notifications and activity on the wallet,” Cole said. “The last of the Ethereum had been sent out 12 hours prior.”

If you want more details about Cole’s experience, check out his extensive and candid breakdown on social media (it’s well worth reading).

Why malicious IDE extensions are so effective

We’re all used to downloading extensions for our web browsers, code editors, or other software. And it’s common to download a new extension when you’re in a rush and need to get something done fast. That urgency can cause you to take action without thinking through or thoroughly researching what you’re installing, and who it was made by.

“I know this was an attack vector,” Cole explains. “I just wasn't really thinking.”

The developer was tricked by good old-fashioned imitation. As a security researcher notes, Cole downloaded an extension from Open VSX named "juanbIanco.solidity" whereas the original was called "juanblanco.solidity”. The switch from a lower-case “l” to an upper-case “i” was barely noticeable. “[Criminals] typo squat on legit extensions,” Cole explains. “They deploy a malicious extension and pump that one with fake reviews. Then they downvote-bomb the legit extension.”

The underlying technique is the same one cybercriminals use when they try to trick people with phishing emails and lookalike websites. Attackers often spoof an email address or website URL by changing a single character, hoping you won’t notice the typo.

How to defend against these types of attacks

Follow these guidelines if you want to avoid this kind of cybercrime:

Checking extensions carefully before downloading them

Don’t rush to install new apps and extensions. Instead, take a moment to check whether they’re safe and legitimate. 

One way to do this is by copying and pasting the extension names into an app with a serif font like Times New Roman. “That’s one way you can identify typo squatting,” Cole explains.

If needed, contact the extension’s creator or visit their website to find a direct link to the directory listing.

Keep secrets out of code 

Teams are often under pressure to deliver projects on time and under budget. Strict deadlines can cause contributors to make honest mistakes, like leaving API keys, security tokens, and other credentials visible in code. Opportunistic attackers then exploit these secrets to gain malicious access to sensitive company information and systems. 

The solution: eliminate plaintext secrets from line one in your code.

You can store cryptocurrency wallet keys, developer secrets, and more in 1Password's password manager. When you need to leverage these secrets in a project – for example, in a .env file – you can use secret references. You can think of these like signposts that tell your project to retrieve the required value in 1Password.

Secret references keep plaintext secrets out of code while ensuring your projects always have access to the most up-to-date values. In Zak’s case, he could have stored his wallet keys in 1Password and used a secret reference. That way, the malicious extension wouldn’t have been able to obtain the private key by reading his .env file.

“I'm definitely going to implement that in my current workflow,” Cole said.

Learn more about secret references 👉

Use cold wallets

If you’re uncomfortable using hot wallets, you can always switch to cold wallets for extra protection. Many options are available on the market, helping you find the right balance of security and convenience.

“I have pretty good habits and don't put any more in a wallet than I'm willing to lose,” Cole explained, “unless it's in cold storage.”

Do you have any advice for keeping your cryptocurrency secure? Share your tips in our forum! 

Coming soon: More ways to secure and streamline your workflows

1Password is on a mission to simplify how you manage SSH keys, API tokens, and other infrastructure secrets. We also want to help developers ensure that AI agents only retrieve the credentials and secrets they’re explicitly authorized to use. 

If you haven’t tried them already, check out:

• Git commit signing with SSH through the 1Password app
• Use secret references with the 1Password for VS Code extension
• Manage environment variables and secrets with 1Password environments

We’ll have more to share on how you can secure and collaborate on .env files soon. Subscribe to the 1Password developer newsletter to stay in the loop!