A malicious Chrome extension is stealing cryptocurrency by slipping hidden fees into every Solana trade. Security researchers discovered that the extension, named Crypto Copilot, quietly redirects small amounts of crypto to attacker-controlled wallets each time users approve a swap.
How the Extension Steals Funds
Researchers found that Crypto Copilot advertises itself as a convenient trading assistant. The extension integrates with X (formerly Twitter), showing token details and letting users swap assets without leaving the platform.
Behind this simple interface, the extension modifies each Solana trade on the decentralized exchange Raydium. It injects a second instruction into the transaction after the user approves the swap. That instruction charges an undisclosed fee and moves the stolen funds to an attacker’s wallet.
The hidden fee appears in two forms:
- A fixed amount of roughly 0.0013 SOL
- A percentage-based fee of about 0.05% of the trade value
Most users would never notice these amounts unless they review every transaction in detail.
Researchers highlighted additional red flags:
- Heavy code obfuscation
- Logic placed deep inside unrelated functions
- No disclosure of extra fees in the extension listing
These tactics reveal a clear attempt to hide malicious activity.
How Researchers Uncovered the Scheme
Cybersecurity firm Socket investigated the extension after spotting unusual behavior in its code. Their analysis showed clear intent to manipulate transactions. They also noted that the extension requested permissions that were unnecessary for basic trading functions.
On-chain data shows that the attacker’s wallet has received stolen SOL. The amount remains small, which likely reflects limited adoption so far. Researchers warn that the damage could grow quickly if the extension spreads among active Solana traders.
The extension appeared in the Chrome Web Store during 2024, which raises concerns about store-screening standards. Malicious extensions continue to pass automated checks despite repeated academic warnings.
Why This Attack Matters
Crypto users rely heavily on browser extensions for wallets, analytics and fast trading. These tools often request extensive permissions, including access to transaction data. Attackers exploit that trust and use subtle transaction edits to steal funds.
This type of attack creates several risks:
- Users lose money without obvious warning
- Wallet security cannot block malicious instructions once approved
- Extensions gain power to alter trades in ways users never expect
- Fraud remains hard to detect when fees look insignificant
Researchers stress that crypto-focused extensions pose a high-value target. Small, unnoticed charges can accumulate into large losses.
How Users Can Protect Themselves
Experts recommend several steps:
- Install extensions only from trusted developers
- Review permissions before approval
- Monitor transaction history for unexplained fees
- Avoid trading through tools that combine social media and blockchain actions
- Use wallets with strong security controls
Users should also remove Crypto Copilot immediately if installed.
Conclusion
The discovery of a malicious Chrome extension that siphons funds from Solana traders highlights ongoing risks in the browser-extension ecosystem. Crypto Copilot used hidden instructions and concealed fees to steal money during routine swaps. The incident reinforces the need for strict extension vetting, strong personal security practices and careful transaction review. Staying alert remains the best defense against stealthy financial threats.
0 responses to “Malicious Chrome extension skims crypto during each trade”