Chrome Extension Steals Solana via Hidden Fees

A malicious Chrome extension disguised as a trading tool has been unmasked after evidence emerged that it silently siphons cryptocurrency from users executing swaps on the Solana network. The extension, known as Crypto Copilot, inserts secret transfer instructions into swaps made via the decentralized exchange Raydium, routing a portion of users’ SOL to an attacker-controlled wallet without their awareness.

Crypto Copilot appeared in mid-2024 promoted as a convenience tool offering one-click token trades directly from social media feeds. It supports popular Solana wallets such as Phantom and Solflare, and presents itself as a legitimate interface sourcing token data via services like DexScreener. The extension’s public listing made no mention of extra fees or on-chain transfers beyond the swap itself.

Behind the innocuous façade, security researchers from Socket discovered that every Raydium swap initiated through Crypto Copilot includes a hidden “SystemProgram. transfer” instruction. That instruction transfers at least 0.0013 SOL — or 0.05% of the traded amount if the swap exceeds 2.6 SOL — to a fixed wallet address baked into the extension’s code. The transferred fee executes atomically as part of the same transaction that carries out the intended swap, meaning users sign off on both without noticing anything amiss.

The user interface deliberately conceals this surcharge: the swap confirmation shows only the expected trade, while the hidden SOL transfer remains invisible in standard wallet dialogs. The code responsible for the transfer is heavily obfuscated and uses techniques such as variable renaming and minification to evade detection.

Investigation into Crypto Copilot’s infrastructure revealed further warning signs. The extension reaches out to a backend hosted under the domain “crypto-coplilot-dashboard. vercel[.]app” — a likely misspelling of “copilot” — to log connected wallet public keys and report user activity under pretexts of “points” and referral tracking. The main website address associated with the tool appears parked and hosts no legitimate product, reinforcing the view that the project served as a shallow facade to cloak illicit transfer logic.

At the time of analysis the extension remained live on the Chrome Web Store, though a takedown request has been submitted to the platform’s security team. Given how the scam scales with trading volume, more active or high-volume traders stand to lose significantly more over time.

The Crypto Copilot case underscores growing risks associated with browser-based extensions in the cryptocurrency space. As communities around Solana and other blockchains have expanded, threat actors appear to be exploiting the trust users place in Web-based add-ons, turning seamless user-experience promises into covert siphons. Analysts warn that such stealthy fund-draining mechanisms may proliferate unless extension marketplaces and end users adopt stricter scrutiny, and they advise verifying every line of code and wallet instruction before authorising transactions.