Malware in Chrome Extension Found Stealing SOL via Hidden Swap Fees

Home/Cybersecurity, Internet Security, Malicious extension, Malware, Mobile Security, Secuirty Update, Security Advisory, Security Update/Malware in Chrome Extension Found Stealing SOL via Hidden Swap Fees

Malware in Chrome Extension Found Stealing SOL via Hidden Swap Fees

Security researchers at Socket discovered a deceptive Chrome extension called Crypto Copilot. It pretends to be a legitimate Solana trading tool but secretly takes SOL from users’ swap transactions.

The Chrome Web Store listing never mentions any fees or hidden transfers — a key sign of the extension’s malicious intent.

Behind its clean interface, the extension runs advanced code to quietly steal SOL from users.

After creating the normal Raydium swap instructions, it calculates a “platform fee” using hardcoded values and adds a secret SystemProgram.transfer that sends SOL to the attacker’s wallet: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7.

The fee is the higher of 0.0013 SOL or 0.05% of the swap.
Small trades pay the fixed fee, while larger trades pay the percentage.
Example: a 100 SOL swap sends 0.05 SOL to the attacker.

The malicious code is heavily minified and renamed to hide how the fee works.

The hidden transfer is bundled inside the same transaction as the real swap, and most wallet pop-ups don’t show each instruction clearly.

As a result, users think they are approving one simple swap — but both instructions run together on-chain.

Fake Setup

The extension connects to a backend (crypto-coplilot-dashboard[.]vercel[.]app) and main site (cryptocopilot[.]app) that don’t work.

The backend shows a blank page, the main site is parked, and the typo “coplilot” signals disposable, malicious infrastructure.

On-chain activity shows only a few fee transfers so far, but the risk remains.

The fees grow with transaction size and volume, meaning active traders could lose significant amounts over time, turning the extension into a steady profit source for the attacker.

Recommendations for Users

Crypto Copilot is still on the Chrome Web Store, though Socket has asked Google to remove it.

  • Avoid closed-source trading extensions that request signing permissions.
  • Install wallet extensions only from verified publisher pages, not search results.
  • If you used Crypto Copilot, move your assets to a clean wallet and revoke all connected sites.
  • Always check each transaction instruction before signing, especially on Solana, and watch for unexpected SystemProgram.transfer actions.

‍Follow Us on: Linkedin, InstagramFacebook to get the latest security news!

Post Views: 100
By | 2025-11-27T15:58:32+05:30 November 26th, 2025|Cybersecurity, Internet Security, Malicious extension, Malware, Mobile Security, Secuirty Update, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!