- The Hack: A Chrome extension named “Crypto Copilot” secretly adds a fee transfer to user swaps.
- The Trick: It hides a SystemProgram.transfer instruction inside legitimate Raydium transactions.
- The Fix: Users must verify individual transaction instructions in their wallet preview before signing.
A malicious browser extension masquerading as a Solana trading tool has been caught siphoning funds from users by silently modifying transaction payloads.
Security researchers identified the harmful Chrome extension to secretly steal small amounts of SOL from Solana users during swaps. The extension, named Crypto Copilot, looks like a normal trading tool but quietly adds an extra transfer to every trade.
How the Fake Extension Works
Socket’s Threat Research Team found that Crypto Copilot has been available on the Chrome Web Store since June 2024. It advertises itself as a tool that lets people trade Solana tokens directly from their X feed. The extension shows token prices, connects to popular wallets, and looks completely safe on the surface.
However, when a user performs a swap, the extension builds the normal Raydium swap instruction and then secretly adds a second instruction. The extra instruction sends SOL to an attacker controlled wallet without telling the user. The minimum amount taken is 0.0013 SOL, or 0.05 percent of the swap size if the trade is large enough.
Wallets usually show only the main summary of a transaction. Most users will not expand the full instruction list, so they will not notice that two separate actions are being signed at once.
Looks legit on the outside; suspicious inside
Crypto Copilot tries hard to appear like a real and helpful product. It detects token names on X, shows DexScreener data, and supports well known wallets such as Phantom and Solflare. It also asks only for common wallet permissions.
But the backend reveals the truth. The extension sends data to a domain that has no real website and only displays a blank page. Its official website is parked and does not host any working product. Even the backend domain has a spelling mistake in its name. These details show that the creators did not plan to build a real trading service.
The code is also heavily hidden and difficult to read. Key parts, including the attacker’s wallet address, are buried inside long and confusing scripts.
The Hidden Fees Add Up Over Time
The extension charges users in two ways. For swaps under 2.6 SOL, it takes the minimum 0.0013 SOL. For trades above that amount, it takes 0.05 percent of the swap. For example, a 100 SOL trade would secretly send 0.05 SOL to the attacker.
Related: Trump-Backed Crypto Firm Loses Another CEO After $1.5 Billion Token Deal
So far, the attacker has not collected much ($6.86), which shows that the extension has not yet spread widely. But the system is designed to scale, meaning that larger or frequent traders could lose significant amounts without knowing.
Warning for Solana Users
Researchers say this extension was never meant to operate as a real product. It only exists to look trustworthy while taking fees in the background. Users are advised to avoid unknown browser extensions, especially those that ask for wallet access or promise one click trading.
“Install wallet extensions only from verified publisher pages, not Chrome Web Store search results,” the research said.
Related: Ethereum Increases Gas Limit to 60M, Scaling Base Layer Ahead of Fusaka Upgrade
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
