Cybersecurity researchers at Socket uncovered the malicious Chrome extension Crypto Copilot, which injects hidden Solana transfer fees into Raydium swap transactions on the Chrome Web Store. Published by user sjclark76 on May 7, 2024, the extension has 12 installs and remains available for download.
The extension presents itself as a tool for trading cryptocurrency directly on X, providing real-time insights and seamless execution. Behind this facade, Crypto Copilot manipulates Solana-based transactions executed on Raydium, a decentralized exchange and automated market maker built on the Solana blockchain. When users initiate a swap through Raydium, the extension activates obfuscated code that appends an additional instruction to the transaction before it reaches the user’s signature stage.
This injected instruction consists of a SystemProgram.transfer method, which directs funds from the user’s wallet to a hard-coded address controlled by the attacker. The transfer amount constitutes a minimum of 0.0013 SOL or 0.05 percent of the total trade value, whichever is greater. For swaps exceeding 2.6 SOL, the fee escalates to 2.6 SOL plus 0.05 percent of the swap amount. Socket security researcher Kush Pandya detailed the mechanism in a report released on Tuesday, stating, “Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05 % of the trade amount to a hard-coded attacker-controlled wallet.”
To evade detection, the malicious code employs minification techniques and renames variables, rendering the script difficult to analyze. Users encounter no visible indication of this alteration during the transaction process. The extension’s user interface displays only the standard swap details, omitting any reference to the hidden fee. As a result, individuals typically approve the transaction without awareness of the deduction unless they manually review each instruction prior to signing.
Crypto Copilot integrates with a backend server at crypto-coplilot-dashboard.vercel.app, where it registers connected wallets, retrieves points and referral information, and logs user activities. The associated domain cryptocopilot.app serves no actual product and functions solely as deceptive infrastructure. The extension further bolsters its appearance of legitimacy by incorporating services from DexScreener for market data and Helius RPC for blockchain interactions.
The destination for the siphoned funds is a personal wallet, distinct from any protocol treasury, which complicates user verification. Pandya emphasized this subtlety, noting, “Because this transfer is added silently and sent to a personal wallet rather than a protocol treasury, most users will never notice it unless they inspect each instruction before signing.” He added that the overall setup prioritizes evading platform scrutiny, observing, “The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.”
