A Chrome browser extension designed for Solana trading has been exposed for secretly siphoning user funds by inserting hidden transfer instructions into swap transactions, according to a new report from cybersecurity firm Socket’s Threat Research Team.
The extension, called Crypto Copilot, allows users to trade SOL directly from X (formerly Twitter), but Socket found that it covertly redirects a portion of every trade to a wallet controlled by the attacker. Each swap includes a concealed instruction transferring 0.05% of the transaction value — or at least 0.0013 SOL — to a hardcoded address, the firm said.
Published on the Chrome Web Store in mid-2024, Crypto Copilot promotes itself as a fast Solana trading assistant. However, Socket noted that users see only a simplified swap summary during confirmation, with the malicious transfer omitted from the interface.
The extension hides its true behavior using obfuscation techniques such as code minification and variable renaming, according to the analysis. It also communicates with a backend server hosted at crypto-coplilot-dashboard.vercel.app, which logs connected wallets, tracks user activity, and collects referral information. A second associated domain, cryptocopilot.app, remains inactive — a red flag for a legitimate trading service, Socket said.
Crypto Copilot routes swaps through Raydium, a popular Solana automated market maker. The malicious code attaches a hidden SystemProgram.transfer instruction to each Raydium trade, resulting in an on-chain atomic transaction that moves funds to the attacker while appearing to the user as a single normal swap.
Hidden siphoning poses compounding risk
Although the extension’s installation numbers appear limited, Socket warned that small, repeated deductions could result in significant losses for active traders. The incident underscores the growing risks associated with browser-based crypto tools, which have been targeted in past attacks involving malicious Chrome and Firefox extensions impersonating wallets such as MetaMask, Phantom, and Coinbase Wallet.
Socket said the case highlights persistent vulnerabilities in browser-based crypto trading and the need for stricter monitoring of the Chrome extension ecosystem. As more trading features migrate into browser add-ons, users face increased risks from hidden transaction manipulation.
The firm urged Solana users to verify the legitimacy of extensions, inspect all transaction data before approving a swap, and monitor ongoing security research for new threats.
