Malicious Chrome Extension Exploits Solana Swaps, Stealing User Funds
A recently identified malicious Google Chrome extension is facilitating fake Solana trades while covertly siphoning a portion of each transaction into the attacker’s wallet. The extension, dubbed Crypto Copilot, manipulates users attempting to execute swaps on the Solana blockchain, according to a report from cybersecurity firm Socket.
Crypto Copilot allows users to trade Solana directly from their Twitter feeds, promising quick execution without switching apps. However, behind the scenes, the extension injects an additional transfer instruction into every swap—effectively draining a minimum of 0.0013 SOL or 0.05% of the total trade—without the user’s awareness. The mechanism leverages the decentralized exchange Raydium to facilitate these swaps, then appends a second, hidden transfer that reroutes SOL from the user’s wallet to the attacker’s address.
On the user interface, only the intended swap appears, with wallet confirmation screens summarizing the transaction without highlighting the extra, malicious instruction. “Users sign what appears to be a single swap, but both instructions execute atomically on-chain,” Socket explained.
Socket has already submitted a takedown request to the Chrome Web Store security team. Despite being publicly available since June 18, 2024, the extension remains relatively obscure, with only 15 users reported so far. Crypto Copilot markets itself as an effortless way for Solana traders to execute swaps directly from social media, claiming to streamline trading opportunities without the hassle of multiple platform switches.
The proliferation of malicious Chrome extensions targeting the crypto community is well-documented. Earlier this month, Socket flagged another malicious wallet extension that drained user funds from the Chrome Web Store’s crypto ecosystem. In August, Jupiter, a decentralized exchange aggregator, identified yet another extension designed to empty Solana wallets. The risks are compounded by high-profile incidents, including a June 2024 case where a Chinese trader lost over $1 million after installing a rogue Binance plugin that hijacked account cookies.
As the browser extension ecosystem continues to attract malicious actors, security experts urge users to exercise caution when installing and confirming transactions in browser-based crypto tools. The ongoing exploitation highlights the importance of verifying extensions and transaction details before signing any blockchain-related activity.
