Malware Chrome Extension Secretly Siphoned Fees From Solana Traders for Months
——————————————————————————-
A seemingly helpful Chrome extension marketed as a Solana trading assistant has been quietly draining funds from users for months, embedding hidden fees into routine swaps and slipping them to an attacker-controlled wallet.
Cybersecurity firm Socket uncovered the malicious behavior in a browser add-on called Crypto Copilot, which posed as a convenience tool for Solana traders. According to security engineer and researcher Kush Pandya, the extension was discovered during ongoing automated and manual monitoring of extensions listed in the Chrome Web Store.
How the scam worked
Instead of simply helping users execute trades, Crypto Copilot secretly tampered with Solana transactions before they were sent to the network. When a user initiated a swap—particularly on the decentralized exchange Raydium—the extension silently appended an additional instruction to the transaction.
On the surface, everything appeared normal: the interface, the swap parameters, and the estimated fees all looked legitimate. But under the hood, the transaction contained a second, hidden instruction that transferred a small amount of SOL from the user’s wallet to an address controlled by the attacker. This extra instruction was crafted to be subtle enough that most users would never notice it, especially if they were only checking high-level transaction summaries rather than detailed instruction sets.
Over time, those “minor” hidden fees added up. Each trade only skimmed a small fraction of SOL, but the extension was designed to operate quietly and consistently, turning every victim’s repeated activity into a reliable revenue stream for the operator.
Masquerading as a legitimate trading helper
Crypto Copilot was presented as a utility to simplify Solana trading, promising features like streamlined swaps, quicker access to decentralized exchanges, or smarter routing. Its branding, description, and positioning were tailored to appear useful to active traders who rely on browser-based wallets and DeFi platforms.
The extension did not immediately trigger obvious suspicion because it integrated smoothly into the normal Solana workflow. It didn’t drain entire wallets in a single move, demand unusual permissions at first glance, or break existing user flows. Instead, it focused on blending in and extracting value slowly.
From a user’s point of view, it functioned like any other “productivity” extension: it interacted with DEX interfaces, passed along transactions to the wallet, and seemingly improved the experience. That made it far more dangerous than blunt “drainer” malware that simply empties funds when a user signs a bad approval.
Technical sleight of hand: hidden Solana instructions
Solana transactions can contain multiple instructions bundled into a single atomic operation. This is a powerful feature of the network—but it can also be abused. Crypto Copilot exploited that flexibility.
When a user prepared a Raydium swap, the legitimate Raydium instruction remained intact. Crypto Copilot then injected an additional instruction into the same transaction before it reached the wallet for final approval. This extra instruction directed a transfer of SOL from the user’s account to the attacker’s address.
To a casual user reading a transaction summary in a wallet interface, the operation still looked like “Raydium swap” or “token swap.” Wallets often highlight only the main program being called, not every single internal detail, which meant the malicious instruction could easily hide in plain sight.
Pandya’s analysis showed that the extension was coded specifically to target Raydium swap flows and trigger only under relevant conditions, minimizing the chance of detection during less common user actions.
Obfuscation and permissions
The malicious logic within Crypto Copilot was not left in plain JavaScript. Socket’s researchers found obfuscated code designed to conceal key routines and make reverse-engineering harder. Variable names were scrambled, logic was fragmented, and critical parts of the code were buried under layers of indirection.
At install time, the extension requested permissions that, taken individually, would not necessarily alarm a non-technical user—such as access to read and modify data on certain domains, or interact with browser tabs. Combined, however, these permissions gave it enough reach to monitor DeFi interfaces, intercept transaction construction processes, and manipulate payloads before they reached wallet extensions.
This is a recurring pattern in extension-based attacks: rather than asking for obviously excessive powers, attackers assemble a set of plausible permissions that together enable full control over key user flows.
Months of undetected abuse
According to Socket, the malicious behavior has been present since at least June, implying that the extension had been quietly siphoning off SOL for months before it was identified and flagged. During that time, every affected swap could have included a small, invisible bonus payment to the attacker.
Because the extension focused on subtle skimming instead of large, sudden thefts, there were few obvious red flags. Users saw their swaps execute correctly, their tokens arrive, and their balances adjust as expected. The only discrepancy was a small, cumulative shortfall in SOL that many traders might write off as normal fee variance or network usage.
The longer such malware remains active, the harder it becomes for individual users to reconstruct exactly how much they have lost—especially if they execute hundreds or thousands of transactions across multiple DeFi platforms.
What affected users should do
Anyone who installed or used a Chrome extension named Crypto Copilot, particularly in combination with Solana DeFi platforms like Raydium, should assume that at least some of their transactions may have been manipulated.
Immediate steps include:
1. Uninstall the extension from the browser and ensure it is fully removed.
2. Stop using any browser profile or device that had the extension installed for sensitive wallet operations until it has been thoroughly checked for other malware.
3. Review past transactions on Solana for unexplained, small SOL transfers to addresses that you do not recognize, especially those attached to swap transactions.
4. Rotate wallets:
– Create a new Solana wallet with fresh seed phrases.
– Transfer assets from the potentially compromised wallet to the new one.
– Avoid reusing private keys or seed phrases that were ever accessible via a compromised environment.
5. Revoke approvals and connections in DeFi interfaces, where applicable, after moving funds to a clean wallet.
While this specific attack focused on injecting discrete fee transfers, users should treat any environment that executed malware as fundamentally untrusted until they fully sanitize or replace it.
Why Chrome extensions are an attractive attack vector
Crypto Copilot highlights a broader and growing risk: browser extensions have become a prime target for attackers seeking to exploit the intersection of DeFi and everyday web browsing.
Extensions sit in a privileged position. They often:
– See and modify web page content, including embedded wallets and DEX UIs.
– Intercept or alter data passed between user interfaces and wallet extensions.
– Persist across browsing sessions and multiple sites.
– Operate largely in the background, with minimal user interaction.
For crypto users, that combination is dangerous. Even if your wallet software is secure and your private keys are never directly exposed, a malicious extension can still change what you sign. It doesn’t need to know your seed phrase; it only needs to shape the transaction so that, when you willingly approve it, you are unknowingly sending funds to an attacker.
How to vet extensions before installing them
This incident underlines the importance of being extremely selective about any extension installed in a browser used for crypto activity. Some basic precautions include:
– Use a dedicated browser solely for crypto, with as few extensions as possible—ideally none beyond your wallet.
– Scrutinize permissions when installing: if an extension needs broad access to “read and change data on all websites” or to inspect web traffic, treat that as a significant risk.
– Check the developer history: anonymous publishers with no track record or newly created extensions pose more risk.
– Watch for sudden updates: an extension might be benign at launch but later updated with malicious code, especially if the developer account or ownership is sold or compromised.
– Consider open-source and audited tools where the codebase and security posture can be more easily reviewed by independent experts.
Even with these safeguards, no approach is perfect. The safest strategy for serious traders is to minimize reliance on third-party extensions entirely and confine wallet actions to well-audited, standalone applications or hardware wallets whenever possible.
The broader security implications for Solana and DeFi
The Crypto Copilot incident is not a vulnerability in Solana itself or in Raydium’s core protocols; rather, it is an example of how the surrounding ecosystem—browsers, extensions, and user interfaces—can become the weakest link.
Layered on top of any blockchain are:
– Wallets and signers.
– Browser environments and mobile operating systems.
– UI layers for DEXs, lending platforms, and NFT marketplaces.
– Third-party utilities marketed as “helpers” or “copilots.”
An attacker only needs one of these layers to be compromised to reliably extract value. As DeFi grows more complex, with multi-step transactions and more sophisticated routing, it becomes easier to hide malicious behavior inside legitimate-looking interactions.
For Solana users who rely heavily on speed and frequent trading, the temptation to install tools that promise convenience or automation is strong. This incident shows that convenience can carry hidden costs—literally.
Building safer habits for on-chain activity
Going forward, Solana traders and DeFi participants can adopt a few concrete habits to reduce their exposure:
– Treat every additional plugin, script, or extension as a potential security liability, not a neutral add-on.
– Regularly audit your browser environment: uninstall anything you do not strictly need.
– When signing transactions, expand and review the details if your wallet allows it, particularly when interacting with new tools or platforms.
– Keep a portion of funds in long-term storage on wallets and devices that never touch a web browser, using separate, smaller “hot” wallets for day-to-day trading.
Security in crypto is increasingly not just about protecting keys, but also about defending the entire path between your intention (“swap token A for token B”) and the actual transaction executed on-chain. Crypto Copilot exploited that gap.
As tools like Socket continue to monitor and surface malicious extensions, users still remain the final line of defense. Careful extension hygiene, skepticism toward “helpful” trading add-ons, and disciplined separation between browsing and custody environments are becoming essential skills for anyone trading on Solana or any other blockchain.