A malicious Chrome extension disguised as a Solana trading assistant has been quietly siphoning fees from user swaps for months.
The extension, Crypto Copilot, appeared on the Chrome Web Store in June, targeting traders on the Solana DEX Raydium. It added a hidden second instruction to every swap, redirecting either 0.0013 SOL or 0.05% of the trade to an attacker-controlled wallet.
The exploit relied on atomic transactions: wallet interfaces combine multiple instructions into a single swap, so users unknowingly authorized both the intended trade and the hidden transfer. Cybersecurity firm Socket, which discovered the activity, warned this is akin to confirming an order that secretly adds extra charges.
On-chain data shows limited adoption so far, but the scheme scales with trade size. Swaps above 2.6 SOL trigger the 0.05% fee, meaning a 100 SOL swap would lose 0.05 SOL (~$10).
The extension’s infrastructure appeared hastily built: its main domain, cryptocopilot.app, is parked on GoDaddy, and the backend at crypto-coplilot-dashboard.vercel.app (misspelled) returns a blank page while collecting wallet metadata.
Socket has requested Google remove the extension, but it was still live at the time of reporting. Users are advised to avoid closed-source extensions that request signing privileges and to move assets to new wallets if they interacted with Crypto Copilot.
