Warning: New Chrome Extension Drains Solana Traders – 0.05% Stolen Per Swap
A newly found malicious Chrome extension is stealing funds from Solana merchants by quietly siphoning a charge from each swap they execute, in line with new findings from Socket’s Threat Research Team.
The extension, referred to as Crypto Copilot, has been obtainable on the Chrome Web Store since June 2024 and markets itself as a shortcut for executing Solana trades instantly from customers’ X feeds.
Behind the interface, nonetheless, researchers found code designed to insert an extra switch into every Raydium swap, diverting a minimum of 0.0013 SOL, or 0.05% of every transaction, to an attacker-controlled pockets.
Crypto Copilot Sends Wallet Data to Suspicious Backend While Draining Trader Funds
Socket researchers say the extension constructs a standard Raydium swap instruction however then appends a second instruction that transfers SOL to the pockets handle Bjeida.
Users solely see the respectable swap within the interface, and most pockets affirmation home windows show solely a high-level abstract of the transaction fairly than the complete listing of directions.
As a end result, merchants approve what seems to be an ordinary transaction, unaware of the hidden switch embedded inside it.
The charge logic is absolutely hardcoded contained in the extension and buried underneath layers of obfuscated JavaScript.
Socket notes that the extension applies whichever is larger between the minimal charge and the percentage-based charge, which means trades above 2.6 SOL incur the complete 0.05% extraction.
Researchers discovered that the extension makes use of variable renaming and aggressive minification to hide the habits, and the attacker’s pockets is labeled underneath an innocuous variable deep contained in the bundle.
The extension stays on-line on the time of reporting. Socket says it has submitted a takedown request to Google, however has not obtained affirmation that motion has been taken.
Beyond the charge theft, investigators additionally found that Crypto Copilot connects to a backend hosted on crypto-coplilot-dashboard.vercel.app, a misspelled area that exhibits solely a clean placeholder web page.
Despite the empty website, the extension usually sends linked pockets identifiers and exercise information to this backend, together with utilizing a hardcoded Helius API key for transaction simulation and RPC calls.
A separate area tied to the software, cryptocopilot.app, is at the moment parked.
Researchers say the absence of documentation, a functioning dashboard, or any supporting infrastructure is inconsistent with a respectable buying and selling product and as a substitute displays frequent practices seen in malicious browser extensions.
While on-chain exercise linked to the attacker’s pockets stays restricted, investigators imagine the low transaction quantity doubtless displays the extension’s comparatively small distribution fairly than an absence of danger.
They warn that the mechanism scales with buying and selling exercise, which means high-volume customers may lose bigger quantities over time with out noticing the incremental drain.
Crypto Losses Fall to 2025 Lows, however Browser Extension Attacks Continue to Climb
The discovery comes throughout a interval of heightened scrutiny round browser-based crypto threats. In July, more than 40 malicious Firefox extensions were found impersonating main pockets suppliers, together with MetaMask, Coinbase, Phantom, OKX, and Trust Wallet.
Koi Security exposes 40+ malicious crypto pockets extensions in Firefox retailer focusing on seed phrases from @coinbase, @MetaMask, and @TrustWallet as crypto losses explode to $2.2B in 2025.#CryptoWallet #Hackhttps://t.co/0EcvDev8SY
— Cryptonews.com (@cryptonews) July 3, 2025
Those extensions harvested pockets credentials instantly from customers’ browsers and transmitted them to attacker-controlled servers.
Exchanges comparable to OKX publicly warned users and filed complaints after discovering pretend plugins masquerading as official pockets instruments. Browser extensions have emerged as some of the persistent assault vectors in 2025, contributing to a rising share of crypto losses.
Wallet-related breaches accounted for $1.7 billion of the $2.2 billion stolen across the primary half of the yr, in line with CertiK. Phishing incidents added one other $410 million.
Despite the rise in extension-based threats, the broader crypto sector briefly skilled a decline in profitable hacks.
PeckShield recorded simply $18.18 million stolen throughout 15 incidents in October, the bottom month-to-month whole of the yr.
Crypto exploits plunged 22% in September, however losses nonetheless totaled $127M. The largest assaults hit $UXLINK ($44M) and @swissborg ($41.5M), in line with information from @PeckShieldAlert. #crypto #DeFi #hackshttps://t.co/FsrFl0qJaw
— Cryptonews.com (@cryptonews) October 2, 2025
That determine had been far greater a month earlier when losses reached $127.06 million in September, pushed by practically 20 main exploits. But whilst general losses dipped, high-profile breaches continued.
The publish Warning: New Chrome Extension Drains Solana Traders – 0.05% Stolen Per Swap appeared first on Cryptonews.
