.png){kind=logo}
A Chrome extension posing as a Solana trading tool routed hidden fees from user swaps for months, according to cybersecurity firm Socket, which found an obfuscated instruction that quietly diverted small amounts of SOL to an attacker-controlled wallet. Socket discovered the malicious code this week after reviewing activity on Raydium swaps.
Analysts found that the extension added a second instruction to each swap, which sent either 0.0013 SOL or 0.05% of the trade value to a hardcoded address.
Socket reported that the extension generated normal Raydium swap instructions. It then added a hidden transfer. Wallet screens showed only a single summarized swap, so traders saw no separate instruction. The bundled transaction executed both steps together.
This process allowed the attacker to collect fees without alerting users. It relied on how wallet interfaces group operations. The extension used Raydium on the back end while inserting its own transfer.
The method worked because each transaction executed atomically. Users approved both actions when they signed one swap. The attacker collected values that scaled with trade size.
The extension launched on June 18, 2024. Chrome Web Store data showed only 15 users this week. On-chain activity showed small amounts collected so far. Larger trades triggered the percentage-based fee. A 100 SOL swap delivered 0.05 SOL to the attacker.
The fee structure meant that each high-value swap created more loss. Socket said the extension applied the fixed fee only on small trades. It switched to the percentage fee when trades exceeded roughly 2.6 SOL.
The extension called itself “Crypto Copilot.” It marketed trading through Twitter without switching platforms. Its website used a GoDaddy-parked domain. Its backend used a misspelled Vercel page that returned nothing while collecting wallet metadata.
Security researchers noted that this case fit into a wider surge of malicious Chrome extensions in the crypto space. Earlier this month, Socket flagged another wallet extension that drained funds. Jupiter later reported a separate Solana-targeting extension that emptied user wallets.
In June 2024, a Chinese trader lost $1 million to a plugin named Aggr. That extension stole browser cookies. It then hijacked exchange accounts, including access to Binance.
This series raised questions about the safety of browser-based crypto tools. How can traders identify safe extensions when malicious tools mimic legitimate platforms so closely?
Socket sent a takedown request to Google. The extension remained online at the time of writing. The firm advised users who installed it to move assets to clean wallets. It also urged traders to avoid closed-source extensions that request signing privileges.
Socket’s investigation revealed that the Crypto Copilot extension inserted hidden transfer instructions into Raydium swaps, allowing the attacker to siphon SOL from users. The case shows how quickly malicious tools can infiltrate trading workflows. Users should review installed extensions and move funds to secure wallets when threats appear.
Also Read: Solana News Today: Upbit Suffers $36M Loss on Solana, Security Breach Review Begins
