A malicious Google Chrome extension has been quietly siphoning funds from Solana users by attaching fraudulent fees to every transaction executed through its interface. Cybersecurity firm Socket published a report on Tuesday outlining the behavior of the extension, known as “Crypto Copilot.” The software allows users to trade Solana directly from their X (Twitter) feed, presenting itself as a convenient shortcut for active traders. Behind the scenes, however, the extension manipulates every swap. Socket found that the extension “injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade.” Unlike typical wallet-draining malware that attempts to steal full account balances, this extension takes small amounts per transaction, making detection more difficult. How the Attack Works Behind the Interface Crypto Copilot relies on decentralized exchange Raydium to conduct swaps on behalf of the user. However, before completing the transaction, the extension embeds a second instruction that transfers SOL directly to the attacker’s wallet. Socket reported that the extension’s user interface only displays standard swap details. Wallet confirmation screens also fail to show the additional instructions, instead presenting a summarized transaction that hides the malicious activity. “Users sign what appears to be a single swap, but both instructions execute atomically on-chain,” Socket said. The atomic execution ensures both steps occur simultaneously, leaving no opportunity for the user to catch the tampered transaction. Extension Has Operated for Months With Limited Exposure Despite its malicious behavior, Crypto Copilot remained listed on the Chrome Web Store for months. The extension was first published on June 18, 2024, according to Socket’s investigation. The store showed it had only 15 users at the time of the report, suggesting the attacker focused on a small but targeted audience of crypto traders. Socket confirmed it submitted a takedown request to Google’s security team following the discovery. Crypto Copilot advertised itself as a productivity tool that would allow users to trade without switching between platforms. Its marketing emphasized “allowing you to act on trading opportunities instantly without the need for switching between apps or platforms.” Chrome Extensions Remain a Major Attack Vector for Crypto Theft Google Chrome’s massive install base and flexible add-on architecture have made browser extensions a common target for crypto-related exploits. Socket noted earlier this month that the fourth-most-popular crypto wallet extension on Chrome was draining user funds. In August, decentralized exchange aggregator Jupiter announced it had detected another malicious Chrome extension that targeted Solana wallets. These incidents follow a series of high-profile thefts tied to browser extensions. In June 2024, a Chinese trader reportedly lost $1 million after installing a malicious plugin called Aggr. The extension stole browser cookies, allowing attackers to hijack logged-in sessions including access to the trader’s Binance account.
