Malicious Chrome Extension Secretly Siphons SOL From Solana Traders
Security researchers have uncovered a dangerous Chrome extension that has been secretly stealing SOL tokens from Solana traders for months. The malware, marketed as “Crypto Copilot,” injects hidden transfer instructions into every Raydium swap, quietly siphoning fees to an attacker-controlled wallet without user knowledge.
How the Malware Extension Operates
Cybersecurity firm Socket discovered the malicious extension during routine monitoring of the Chrome Web Store. According to security researcher Kush Pandya, Crypto Copilot uses sophisticated obfuscation techniques to hide its true purpose while presenting itself as a legitimate trading tool for Solana users.
Hidden Fee Extraction Mechanism
The extension secretly appends an extra transfer instruction to every Raydium swap transaction. This hidden mechanism extracts a minimum of 0.0013 SOL or 0.05% of the trade amount, directly funneling funds to the attacker’s wallet. The fee structure scales with trade size, meaning larger swaps result in greater losses for unsuspecting users.
Deceptive User Interface
Users see only the standard swap details in their wallet interfaces, completely unaware that an additional transfer instruction is being executed simultaneously. The extension’s marketing materials and Chrome Web Store listing make no mention of these hidden fees, making detection nearly impossible for average users.
Security Risks and Detection Challenges
Socket’s AI scanner identified multiple red flags, including aggressive code obfuscation, hardcoded Solana addresses in transaction logic, and discrepancies between stated functionality and actual network behavior. These indicators triggered deeper manual analysis that ultimately revealed the hidden fee extraction mechanism.
Technical Analysis Findings
The extension’s main domain appears parked with GoDaddy, while its misspelled backend domain displays only a blank placeholder page despite actively collecting wallet data. This sophisticated setup has allowed the malware to remain undetected on the Chrome Web Store since June.
Protection Measures for Crypto Users
Security experts recommend several precautions to avoid falling victim to similar attacks. Users should carefully review each transaction instruction before signing, avoid closed-source trading extensions that request signing permissions, and migrate assets to clean wallets if they’ve installed suspicious extensions.
Broader Implications for Crypto Security
This incident highlights the growing threat of browser-based crypto tools, particularly extensions that combine social media integration with transaction signing capabilities. As the crypto ecosystem expands, security researchers warn that similar sophisticated attacks are likely to increase, requiring enhanced vigilance from both users and platform providers.
Socket has submitted a takedown request to Google’s Chrome Web Store security team, though the extension remained available at the time of their report publication. The incident serves as a stark reminder of the importance of thorough security vetting for all crypto-related browser extensions.
