A new threat has emerged in the Solana trading community. Security researchers have discovered a malicious Chrome extension named Crypto Copilot that appears to offer convenient trading features but secretly siphons cryptocurrency from users during transactions.
Published on the Chrome Web Store on June 18, 2024, the extension has managed to remain available while quietly stealing funds from hundreds of traders who believed they were using a legitimate tool.
The extension positions itself as a seamless solution for Solana traders looking to execute quick swaps directly from the X social media platform.
It connects to popular wallets like Phantom and Solflare, displays real-time token data from DexScreener, and routes transactions through Raydium, one of the largest decentralized exchanges on Solana.
The marketing materials promise speed, convenience, and one-click trading without mentioning any hidden costs or extra transactions.
Socket.dev security analysts identified the malicious behavior embedded within the extension’s code structure. Behind the attractive interface lies a sophisticated fee-stealing mechanism that operates without user knowledge.
Every time a user performs a swap, the extension injects an undisclosed transfer that routes a minimum of 0.0013 SOL or 0.05% of the total trade amount to an attacker-controlled wallet address: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg730xQff7.
Attack Mechanism
The attack works by manipulating transaction construction at the blockchain level. When users initiate a swap, the extension first builds the legitimate Raydium swap instruction.
Then it silently appends a second instruction containing a SystemProgram.transfer command that moves SOL from the user’s wallet directly to the attacker’s address.
The user interface displays only the swap details, creating a false sense of legitimacy. Most wallet confirmation screens show a summary of transactions without highlighting individual instructions, so users sign what appears to be a single transaction while both instructions execute together on-chain.
.webp "Malicious Chrome Extension Silently Steal and Injects Hidden SOL Fees Into Solana Swaps 3")
Socket researchers also discovered additional malicious functionality beyond fee theft. The extension exfiltrates users’ connected wallet public keys to a backend server at crypto[.]copilot-dashboard[.]vercel[.]app/api/users, creating privacy violations.
Furthermore, embedded Helius RPC API credentials expose sensitive infrastructure information, compounding the security risks.
The malicious code resides within assets/popup.js file, wrapped in heavy obfuscation to evade detection.
The Chrome Web Store listing has remained unchanged despite these discoveries, with no warning to potential users about the hidden charges or data collection occurring in the background.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
