In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
Malicious Chrome Extension "Crypto Copilot" Caught Injecting Hidden Solana Transfers
Security researchers have uncovered a malicious Chrome browser extension named Crypto Copilot designed to stealthily siphon Solana (SOL) during decentralized exchange (DEX) swaps. The extension injects an unauthorized transfer into legitimate Raydium swap transactions, redirecting funds to an attacker-controlled wallet. Despite its harmful functionality, the extension remains publicly available on the Chrome Web Store and presents itself as a legitimate crypto trading tool.
Context
Browser extensions are increasingly used in cryptocurrency workflows, from signing transactions to accessing decentralized applications. While convenient, extensions operate close to the user’s wallet interactions, making them high-value targets for abuse.
Crypto Copilot appeared in the Chrome Web Store in May 2024 with claims of providing trading features on X (formerly Twitter). Its low install count and veneer of legitimacy allowed it to evade scrutiny until recent analysis.
This incident demonstrates how malicious extensions can weaponize trust in browser ecosystems and exploit decentralized finance (DeFi) users who rely on automated swap processes.
What Happened
Researchers at Socket uncovered that Crypto Copilot silently alters Solana swap transactions performed through Raydium, a major Solana-based decentralized exchange.
Key findings include:
The extension injects an additional SystemProgram.transfer instruction into the user’s signed transaction.
A minimum siphon of 0.0013 SOL, or 0.05% of the total swap, is routed to an attacker’s hard-coded wallet.
Larger trades (above 2.6 SOL) trigger higher fees.
Users receive no indication of the hidden transfer.
The extension uses obfuscation to hide its malicious code path.
Technical Breakdown
The malicious behavior operates through several coordinated mechanisms:
Obfuscated JavaScript logic activates only when a Raydium swap is performed, minimizing detection.
The extension appends an unauthorized Solana transfer directly into the user’s signed instruction set, ensuring the blockchain treats it as part of the legitimate transaction.
Minification and variable renaming conceal malicious logic from static analysis and human review.
A backend hosted on crypto-coplilot-dashboard.vercel[.]app and cryptocopilot[.]app collects wallet data, referral information, and user activity—despite not hosting any real product.
The extension integrates legitimate services such as DexScreener and Helius RPC to build trust and pass Chrome Web Store checks.
Because the malicious transfer is embedded within a larger, legitimate transaction, the user interface never displays it—requiring manual inspection of each instruction for detection.
Impact Analysis
Although the extension has only 12 installs, the impact on affected users can be significant:
Solana trades are silently taxed with hidden fees.
Users may lose funds without noticing unless they manually audit each transaction.
The attack leverages the Chrome Web Store’s validation gaps, showing the challenges of securing browser-based crypto tooling.
Because Raydium swaps are common across the Solana ecosystem, any user performing a DEX trade through a compromised browser is at risk.
The stealth, precision, and legitimate service integrations make this attack particularly insidious.
Why It Matters
As crypto adoption grows, browser extensions increasingly act as user-facing gateways into blockchain ecosystems. This incident highlights a critical need for:
Stronger extension security auditing
Verification of transaction details before signing
Greater scrutiny of new browser-based crypto tools
Crypto Copilot demonstrates how attackers can compromise DeFi transactions without phishing, smart contract exploits, or malicious websites—simply by manipulating the user’s browser environment.
Expert Commentary
Researchers emphasize that the attack’s subtlety is its strength. By embedding malicious transfers inside legitimate signed transactions, attackers exploit user trust in familiar workflows.
The infrastructure supporting the extension appears designed to:
Pass Chrome Web Store review
Mimic a real dashboard
Provide a functional interface
Mask ongoing fee siphoning in the background
Experts warn that this pattern is likely to appear in more browser-based DeFi attacks.
Key Takeaways
Crypto Copilot is a malicious Chrome extension that injects unauthorized SOL transfers into Raydium swaps.
Hidden transfers route a minimum of 0.0013 SOL or 0.05% of trade value to an attacker wallet.
Obfuscation conceals malicious code paths and boosts evasion.
Fake backends and real crypto services create a false sense of legitimacy.
Users may not notice unless they inspect each transaction’s instructions.
Browser extensions remain a high-risk vector in DeFi operations.