Gushiken Yona
A newly discovered Solana Chrome extension silently siphons cryptocurrency from traders by appending hidden transfer instructions to each swap executed through Raydium, a decentralized exchange on the Solana blockchain.
Key Points
- Crypto Copilot, a Solana Chrome extension, injects hidden transfer instructions into Raydium swaps. It secretly siphons 0.05% or 0.0013 SOL per transaction to an attacker's wallet.
- Users unknowingly authorize hidden fees because transaction confirmation screens don't detail the extra transfers. Obfuscation techniques conceal this malicious behavior, leading to unnoticed cumulative losses.
- This incident highlights persistent browser-based crypto security weaknesses. The siphoning mechanism scales with transaction volume, posing high risks for frequent Solana traders.
How Crypto Copilot Diverts Solana Funds
Cybersecurity researchers from Socket’s Threat Research Team report that Crypto Copilot, the Solana Chrome extension, allows users to trade SOL directly from X (formerly Twitter) feeds while secretly diverting funds. Each swap executed via the extension includes a hidden instruction transferring 0.05% or a minimum of 0.0013 SOL to a hardcoded attacker wallet.
Published on the Chrome Web Store in mid-2024, Crypto Copilot markets itself as a tool for instant Solana trading. Users see only the apparent legitimate swap; confirmation screens summarize the transaction without revealing the hidden transfer. Socket notes that obfuscation techniques, including minification and variable renaming, are used to conceal this malicious behavior.
Backend Data Collection and Infrastructure
The Solana Chrome extension also communicates with a backend hosted on crypto-coplilot-dashboard.vercel.app, registering connected wallets, tracking user activity, and reporting referral data. A second domain, cryptocopilot.app, is parked and non-functional. Socket emphasizes that the absence of a working dashboard is inconsistent with a legitimate trading platform.
Related: Crypto Industry Now Mobilizes Against Perceived Quantum Threat
Crypto Copilot leverages Raydium, an automated market maker (AMM) on Solana, to execute swaps. By appending a hidden SystemProgram.transfer instruction to each trade, the extension completes atomic on-chain transfers that divert funds while users approve what appears to be a single transaction.
Hidden Transfer Fees in Legitimate Swap Flows
Although installation numbers remain low, Socket warns that cumulative siphoning poses high risks for frequent traders. Incremental losses may accumulate unnoticed, illustrating broader browser-based crypto threats. Previous incidents have involved malicious Chrome and Firefox extensions targeting wallets such as MetaMask, Phantom, and Coinbase.
The Solana Chrome extension hides unauthorized transfers inside legitimate swap transactions. Users unknowingly authorize additional SOL transfers because confirmation interfaces summarize rather than detail each on-chain instruction. Obfuscation and a non-functional dashboard create a veneer of legitimacy while siphoning funds.
Related: Stablecoin Liquidity Cools Following $300B+ Market Peak
Systemic Risks for Solana Traders
Chrome’s extensible architecture and large user base have long attracted crypto-focused malware. Even extensions with few installations, like Crypto Copilot, can affect high-volume traders because the siphoning mechanism scales with transaction volume. This incident highlights persistent weaknesses in browser-based crypto security and the importance of inspection before signing transactions.
As browser-based tools increasingly integrate cryptocurrency trading, vigilance remains essential. Solana traders are advised to verify extension legitimacy, review transaction instructions carefully, and follow updates from cybersecurity teams. Crypto Copilot underscores the need for enhanced monitoring and regulation in Chrome’s extension ecosystem to safeguard decentralized finance participants.
Frequently Asked Questions
YONA GUSHIKEN
Yona brings a decade of experience covering gaming, tech, and blockchain news. As one of the few women in crypto journalism, her mission is to demystify complex technical subjects for a wider audience. Her work blends professional insight with engaging narratives, aiming to educate and entertain.
