Nov 26, 2025Ravie LakshmananBrowser Safety / Cryptocurrency
Cybersecurity researchers have found a brand new malicious extension on the Chrome Net Retailer that is able to injecting a stealthy Solana switch right into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency pockets.
The extension, named Crypto Copilot, was first revealed by a consumer named “sjclark76” on Might 7, 2024. The developer describes the browser add-on as providing the flexibility to “commerce crypto instantly on X with real-time insights and seamless execution.” The extension has 12 installs and stays out there for obtain as of writing.
“Behind the interface, the extension injects an additional switch into each Solana swap, siphoning a minimal of 0.0013 SOL or 0.05% of the commerce quantity to a hardcoded attacker-controlled pockets,” Socket safety researcher Kush Pandya stated in a Tuesday report.
Particularly, the extension incorporates obfuscated code that involves life when a consumer performs a Raydium swap, manipulating it to inject an undisclosed SOL switch into the identical signed transaction. Raydium is a decentralized alternate (DEX) and automatic market maker (AMM) constructed on the Solana blockchain.
It really works by appending a hidden SystemProgram.switch util methodology to every swap earlier than the consumer’s signature is requested, and sends the payment to a hard-coded pockets embedded within the code. The payment is calculated primarily based on the quantity traded, charging a minimal of 0.0013 SOL for trades and a couple of.6 SOL and 0.05% of the swap quantity if it is greater than 2.6 SOL. To keep away from detection, the malicious conduct is hid utilizing methods like minification and variable renaming.
The extension additionally communicates with a backend hosted on the area “crypto-coplilot-dashboard.vercel[.]app” to register related wallets, fetch factors and referral information, and report consumer exercise. The area, together with “cryptocopilot[.]app,” doesn’t host any actual product.
What’s notable concerning the assault is that customers are fully saved at the hours of darkness concerning the hidden platform payment, and the consumer interface solely exhibits particulars of the swap. Moreover, Crypto Copilot makes use of legit providers like DexScreener and Helius RPC to lend it a veneer of belief.
“As a result of this switch is added silently and despatched to a private pockets slightly than a protocol treasury, most customers won’t ever discover it except they examine every instruction earlier than signing,” Pandya stated. “The encircling infrastructure seems designed solely to cross Chrome Net Retailer evaluate and supply a veneer of legitimacy whereas siphoning charges within the background.”
