Security researchers disclosed that Crypto Copilot, a Chrome extension, has been consistently skimming SOL from users trying to swap on Raydium. Instead of directly draining wallets, the extension attaches a hidden transfer instruction to legitimate transactions, siphoning at least 0.0013 SOL or 0.05% of the trade value directly into the wallet of an attacker.
How the Hidden Transfer Slipped Past Wallet Screens
The extension, launched on the Chrome Web Store on June 18, 2024, by a developer account listed as “sjclark76,” positioned itself as the perfect companion for traders glued to X, promising instant swaps directly from the feed by integrating with DexScreener for pricing, Helius for blockchain access, and mainstream wallets like Phantom and Solflare.
When a user initiates a swap, the extension silently modifies the transaction before it ever reaches the wallet.
The malicious code injects an additional SystemProgram.transfer instruction that routes funds to a hardcoded recipient address. Because the legitimate swap and the theft are combined into a single atomic transaction, the wallet’s confirmation screen shows only the expected trade details. The extra transfer remains invisible unless the user consciously expands and examines every instruction, a step only few traders take.
The extension’s source code is heavily compressed and hidden, while its supposed official website, cryptocopilot.app, remains a parked GoDaddy domain with no functional content. As of November 27, 2025, the extension, Crypto Copilot, is still available on the Chrome Web Store with only 12 and 15 known installations.
What Users Must Do Before It’s Too Late
The siphon scheme was disclosed by security company Socket on November 25, 2025, after fully reverse-engineering the extension. According to researcher Kush Pandya, the transfer is silently added to and forwarded to a personal wallet rather than to any protocol treasury, meaning most victims never notice unless they carefully review every instruction before signing.
Socket has submitted a removal request to Google. The incident follows a series of similar attacks on Solana users, including the Bull Checker extension flagged in August 2024 and another high-ranking wallet that was flagged earlier in November 2025, which operate using similar tactics.
Users who have ever installed Crypto Copilot are advised to remove the extension immediately, move remaining funds to a new wallet, and revoke all associated approvals using services such as revoke.cash.
Moving forward, traders and investors are advised to manually review every transaction instruction before signing, particularly when using third-party browser extensions to interact with Solana protocols.
