Chrome Extension Injects Hidden Fees Into Solana Swaps: New Report

A newly discovered Solana Chrome extension silently siphons cryptocurrency from traders by appending hidden transfer instructions to each swap executed through Raydium, a decentralized exchange on the Solana blockchain.

Read The Shib Daily on Google News

How Crypto Copilot Diverts Solana Funds

Cybersecurity researchers from Socket’s Threat Research Team report that Crypto Copilot, the Solana Chrome extension, allows users to trade SOL directly from X (formerly Twitter) feeds while secretly diverting funds. Each swap executed via the extension includes a hidden instruction transferring 0.05% or a minimum of 0.0013 SOL to a hardcoded attacker wallet.

Published on the Chrome Web Store in mid-2024, Crypto Copilot markets itself as a tool for instant Solana trading. Users see only the apparent legitimate swap; confirmation screens summarize the transaction without revealing the hidden transfer. Socket notes that obfuscation techniques, including minification and variable renaming, are used to conceal this malicious behavior.

Backend Data Collection and Infrastructure

The Solana Chrome extension also communicates with a backend hosted on crypto-coplilot-dashboard.vercel.app, registering connected wallets, tracking user activity, and reporting referral data. A second domain, cryptocopilot.app, is parked and non-functional. Socket emphasizes that the absence of a working dashboard is inconsistent with a legitimate trading platform.

Crypto Copilot leverages Raydium, an automated market maker (AMM) on Solana, to execute swaps. By appending a hidden SystemProgram.transfer instruction to each trade, the extension completes atomic on-chain transfers that divert funds while users approve what appears to be a single transaction.

Hidden Transfer Fees in Legitimate Swap Flows

Although installation numbers remain low, Socket warns that cumulative siphoning poses high risks for frequent traders. Incremental losses may accumulate unnoticed, illustrating broader browser-based crypto threats. Previous incidents have involved malicious Chrome and Firefox extensions targeting wallets such as MetaMask, Phantom, and Coinbase.

The Solana Chrome extension hides unauthorized transfers inside legitimate swap transactions. Users unknowingly authorize additional SOL transfers because confirmation interfaces summarize rather than detail each on-chain instruction. Obfuscation and a non-functional dashboard create a veneer of legitimacy while siphoning funds.

Systemic Risks for Solana Traders

Chrome’s extensible architecture and large user base have long attracted crypto-focused malware. Even extensions with few installations, like Crypto Copilot, can affect high-volume traders because the siphoning mechanism scales with transaction volume. This incident highlights persistent weaknesses in browser-based crypto security and the importance of inspection before signing transactions.

As browser-based tools increasingly integrate cryptocurrency trading, vigilance remains essential. Solana traders are advised to verify extension legitimacy, review transaction instructions carefully, and follow updates from cybersecurity teams. Crypto Copilot underscores the need for enhanced monitoring and regulation in Chrome’s extension ecosystem to safeguard decentralized finance participants.

THE SHIB IN YOUR SOCIAL FEED

Follow on X Follow on Instagram

Yona has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Daily is an official media and publication of the Shiba Inu cryptocurrency project...