A Google Chrome browser extension advertised as a shortcut for trading Solana directly from the X (Twitter) feed has been identified as malware, quietly siphoning funds from every transaction executed through it.
- A malicious Chrome extension added hidden fees to every Solana swap and routed them to an attacker.
- The plug-in has been live since June and marketed itself as a trading shortcut for X users.
- Chrome extensions remain a high-risk environment for crypto transactions due to broad permissions and limited visibility into instructions users sign.
Cybersecurity firm Socket uncovered the scheme and reported that the extension — titled Crypto Copilot — inserts a hidden fee into each swap. Instead of draining entire wallets in a single hit (the hallmark of most Solana-focused malware), the attacker opted for a slower and less noticeable method: taking a small cut from every trade.
How the theft is carried out
Socket’s review of the code revealed that Crypto Copilot routes swaps through Raydium, a popular Solana DEX. But before users approve the transaction, the extension adds an extra instruction that funnels part of the trade — a minimum of 0.0013 SOL or roughly 0.05% of the swap value — to the attacker.
The extension relies on the fact that most users only review the high-level summary shown in the wallet approval window. Because both transfers execute in the same transaction, there is no visible indication that a second transfer is taking place.
Installed since June — barely noticed until now
Crypto Copilot has been available on the Chrome Web Store since June 18, 2024. According to the storefront listing, it has 15 active users, though the exact number affected by unauthorized transfers is unclear.
The extension marketed itself as a productivity upgrade — enabling Solana swaps without leaving the X interface — which likely helped it avoid early suspicion. Socket says it has already requested that Google remove the listing, but the plug-in remained accessible at the time of reporting.
Growing pattern of Chrome-based wallet theft
This is not an isolated case. Malicious Chrome extensions have become one of the most effective attack vectors targeting crypto users:
- Earlier this month, Socket flagged another highly downloaded wallet extension that was draining funds.
- In August, the Jupiter team warned Solana users about a Chrome plug-in that emptied wallets.
- In June 2024, a Chinese trader reported losing $1 million after installing a malicious extension that harvested browser cookies and gained access to his Binance account.
Security researchers caution that Chrome extensions have become a preferred target because users often accept permission prompts without understanding the access being granted.
The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.
Alex is an experienced financial journalist and cryptocurrency enthusiast. With over 8 years of experience covering the crypto, blockchain, and fintech industries, he is well-versed in the complex and ever-evolving world of digital assets. His insightful and thought-provoking articles provide readers with a clear picture of the latest developments and trends in the market. His approach allows him to break down complex ideas into accessible and in-depth content. Follow his publications to stay up to date with the most important trends and topics.