Malicious Chrome Extension 'Crypto Copilot' Caught Injecting Hidden Fees into Solana Swaps

Source: CoinEdition Original Title: Malicious Chrome Extension ‘Crypto Copilot’ Caught Injecting Hidden Fees into Solana Swaps Original Link: https://coinedition.com/malicious-chrome-extension-crypto-copilot-caught-injecting-hidden-fees-into-solana-swaps/

The Hack, Trick, and Fix

• The Hack: A Chrome extension named “Crypto Copilot” secretly adds a fee transfer to user swaps.
• The Trick: It hides a SystemProgram.transfer instruction inside legitimate Raydium transactions.
• The Fix: Users must verify individual transaction instructions in their wallet preview before signing.

A malicious browser extension masquerading as a Solana trading tool has been caught siphoning funds from users by silently modifying transaction payloads.

Security researchers identified the harmful Chrome extension to secretly steal small amounts of SOL from Solana users during swaps. The extension, named Crypto Copilot, looks like a normal trading tool but quietly adds an extra transfer to every trade.

How the Fake Extension Works

Threat Research Teams found that Crypto Copilot has been available on the Chrome Web Store since June 2024. It advertises itself as a tool that lets people trade Solana tokens directly from their X feed. The extension shows token prices, connects to popular wallets, and looks completely safe on the surface.

However, when a user performs a swap, the extension builds the normal Raydium swap instruction and then secretly adds a second instruction. The extra instruction sends SOL to an attacker controlled wallet without telling the user. The minimum amount taken is 0.0013 SOL, or 0.05 percent of the swap size if the trade is large enough.

Wallets usually show only the main summary of a transaction. Most users will not expand the full instruction list, so they will not notice that two separate actions are being signed at once.

Looks Legit on the Outside; Suspicious Inside

Crypto Copilot tries hard to appear like a real and helpful product. It detects token names on X, shows DexScreener data, and supports well known wallets such as Phantom and Solflare. It also asks only for common wallet permissions.

But the backend reveals the truth. The extension sends data to a domain that has no real website and only displays a blank page. Its official website is parked and does not host any working product. Even the backend domain has a spelling mistake in its name. These details show that the creators did not plan to build a real trading service.

The code is also heavily hidden and difficult to read. Key parts, including the attacker’s wallet address, are buried inside long and confusing scripts.

The Hidden Fees Add Up Over Time

The extension charges users in two ways. For swaps under 2.6 SOL, it takes the minimum 0.0013 SOL. For trades above that amount, it takes 0.05 percent of the swap. For example, a 100 SOL trade would secretly send 0.05 SOL to the attacker.

So far, the attacker has not collected much ($6.86), which shows that the extension has not yet spread widely. But the system is designed to scale, meaning that larger or frequent traders could lose significant amounts without knowing.

Warning for Solana Users

Researchers say this extension was never meant to operate as a real product. It only exists to look trustworthy while taking fees in the background. Users are advised to avoid unknown browser extensions, especially those that ask for wallet access or promise one click trading.

“Install wallet extensions only from verified publisher pages, not Chrome Web Store search results,” the research said.