Cybersecurity firm Socket has revealed that a malicious Chrome extension called “Crypto Copilot” is stealing funds by adding hidden fees to users’ Solana transactions.
Released to the Chrome Web Store on June 18, 2024, the extension advertises itself as a tool that “lets you instantly take action from your X stream,” but it runs an additional transfer process in the background that users don’t notice.
According to a technical review by Socket’s Threat Research Team, the extension adds an additional transfer of 0.0013 SOL, or 0.05% of the transaction amount, to each swap transaction and directs this amount to the attacker’s wallet, which is secured within the code. Furthermore, this fee structure is not specified on the Chrome Web Store page, and the relevant code is heavily obfuscated.
After generating a standard swap instruction on Raydium, Crypto Copilot adds a second, hidden instruction, transferring SOL to Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7. While the interface only displays swap details, and wallet confirmation screens often don’t display individual instructions, users often mistake the transaction for a single swap, leading them to sign. However, both instructions execute simultaneously on the chain.
Socket submitted a formal removal request to the Google Chrome Web Store security team, stating that the malicious extension is still live.
*This is not investment advice.