rewrite this content using a minimum of 1000 words and keep HTML tags In brief
Chrome extension Crypto Copilot secretly adds a hidden SOL transfer to every Raydium swap, siphoning fees to an attacker’s wallet.
Security platform Socket found the extension uses obfuscated code and a misspelled, inactive backend domain to mask its activity.
On-chain theft remains small so far, but the mechanism scales with trade size, and the extension is still live on the Chrome Web Store.
A Chrome extension marketed as a convenient trading tool has been secretly siphoning SOL from users’ swaps since last June, injecting hidden fees into every transaction while masquerading as a legitimate Solana trading assistant.Cybersecurity firm Socket discovered malware extension Crypto Copilot during “continuous monitoring” of the Chrome Web Store, security engineer and researcher Kush Pandya told Decrypt.
🚨 Socket researchers uncovered a malicious Chrome extension that injects hidden #SOL transfers into Raydium swaps, quietly siphoning fees to an attacker wallet.
Full analysis → https://t.co/bdGOXViJpA #Solana
— Socket (@SocketSecurity) November 25, 2025In an analysis of the malicious extension published Wednesday, Pandya wrote that Crypto Copilot quietly appends an extra transfer instruction to every Solana swap, extracting a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet.“Our AI scanner flagged multiple indicators: aggressive code obfuscation, a hardcoded Solana address embedded in transaction logic, and discrepancies between the extension’s stated functionality and actual network behavior,” Pandya told Decrypt, adding that “These alerts triggered deeper manual analysis that confirmed the hidden fee extraction mechanism.”The research points to risks in browser-based crypto tools, particularly extensions that combine social media integration with transaction signing capabilities.The extension has remained available on the Chrome Web Store for months, with no warning to users about the undisclosed fees buried in heavily obfuscated code, the report says.”The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code,” Pandya noted.Each time a user swaps tokens, the extension generates the proper Raydium swap instruction but discreetly tacks on an extra transfer directing SOL to the attacker’s address.Raydium is a Solana-based decentralized exchange and automated market maker, whereas a “Raydium swap” simply refers to exchanging one token for another through its liquidity pools.Users who installed Crypto Copilot, believing it would streamline their Solana trading, have unknowingly been paying hidden fees with every swap, fees that never appeared in the extension’s marketing materials or Chrome Web Store listing.The interface shows only the swap details, and wallet pop-ups summarize the transaction, so users sign what looks like a single swap even though both instructions execute simultaneously on-chain.The attacker’s wallet has received only small amounts to date, a sign that Crypto Copilot hasn’t reached many users yet, rather than an indication that the exploit is low-risk, as per the report.The fee mechanism scales with trade size, as for swaps under 2.6 SOL, the minimum 0.0013 SOL fee applies, and above that threshold, the 0.05% percentage fee takes effect, meaning a 100 SOL swap would extract 0.05 SOL, roughly $10 at current prices.The extension’s main domain cryptocopilot[.]app is parked by domain registry GoDaddy, while the backend at crypto-coplilot-dashboard[.]vercel[.]app, notably misspelled, displays only a blank placeholder page despite collecting wallet data, the report says.Socket has submitted a takedown request to Google’s Chrome Web Store security team, though the extension remained available at the time of publication.The platform has urged users to review each instruction before signing transactions, avoid closed-source trading extensions requesting signing permissions, and migrate assets to clean wallets if they installed Crypto Copilot.Malware patternsMalware remains a growing concern for crypto users. In September, a malware strain called ModStealer was found targeting crypto wallets across Windows, Linux, and macOS through fake job recruiter ads, evading detection by major antivirus engines for almost a month.Ledger CTO Charles Guillemet has previously warned that attackers had compromised an NPM developer account, with malicious code attempting to silently swap crypto wallet addresses during transactions across multiple blockchains.Daily Debrief NewsletterStart every day with the top news stories right now, plus original features, a podcast, videos and more. and include conclusion section that’s entertaining to read. do not include the title. Add a hyperlink to this website http://defi-daily.com and label it “DeFi Daily News” for more trending news articles like this
Source link
