A Chrome browser extension designed for Solana trading has been exposed for covertly diverting user funds by embedding hidden transfer instructions in swap transactions, according to new findings from cybersecurity firm Socket’s Threat Research Team.
Extension secretly siphons SOL through hidden transfers
The extension – called Crypto Copilot – allows users to trade Solana’s native token (SOL) directly from X (formerly Twitter). However, Socket reports that every swap includes an undisclosed instruction that redirects 0.05% of the transaction value, or a minimum of 0.0013 SOL, to an attacker-controlled wallet.
Published on the Chrome Web Store in mid-2024, Crypto Copilot markets itself as an instant Solana trading tool. Users are shown only the main swap transaction on their confirmation screens, which intentionally omits the extra transfer command, according to the report.
Obfuscation techniques used to hide malicious behavior
Socket’s researchers found that the extension employs heavy obfuscation—such as code minification and variable renaming—to mask its malicious logic. It also communicates with a backend server hosted at crypto-coplilot-dashboard.vercel.app, which logs connected wallets, tracks user activity, and reports referral data.
A second domain linked to the extension, cryptocopilot.app, remains inactive. Researchers noted that this lack of an operational dashboard is inconsistent with legitimate trading platforms.
Hidden on-chain transfers via Raydium swaps
Crypto Copilot uses Raydium, a Solana-based automated market maker, to process swaps. During each trade, the extension appends a hidden SystemProgram.transfer instruction that executes atomically – meaning both the visible swap and the concealed transfer occur in one on-chain transaction. As a result, users unknowingly authorize the malicious transfer when approving what appears to be a single swap.
Low installation numbers but high cumulative risk
Although the extension’s installation count remains relatively low, Socket warned that the cumulative impact may be significant for active traders. Small, repeated fund diversions can add up quickly and may go unnoticed, underscoring the broader risks associated with browser-based crypto tools.
Similar incidents in recent years have involved malicious Chrome and Firefox extensions targeting MetaMask, Phantom, and Coinbase Wallet users, according to industry reports.
Broader implications for crypto security
The Crypto Copilot incident highlights ongoing vulnerabilities in browser-based cryptocurrency trading and the importance of scrutinizing all transaction details before approval, Socket stated.
As browser tools increasingly incorporate on-chain trading features, experts warn that tighter oversight of Chrome’s extension ecosystem may be needed to protect decentralized finance users.
Socket advises Solana traders to verify the legitimacy of extensions, carefully inspect transaction instructions, and stay updated with cybersecurity alerts.
