Key Findings

• Cybersecurity researchers have discovered a malicious Chrome extension named "Crypto Copilot" that injects hidden Solana transfer fees into Raydium swap transactions.

• The extension silently appends an extra transfer instruction to each swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet.

• The malicious behavior is concealed through obfuscation techniques, and the extension's user interface only shows the legitimate swap details, hiding the theft.

• The extension communicates with a backend infrastructure that appears to be designed to pass Chrome Web Store review and provide a veneer of legitimacy.

Background

The "Crypto Copilot" Chrome extension was first published on May 7, 2024, by a user named "sjclark76". The developer describes the extension as offering the ability to "trade crypto directly on X with real-time insights and seamless execution."

Malicious Behavior

• The extension injects an extra "SystemProgram.transfer" instruction into every Raydium swap transaction, sending a portion of the funds to a hardcoded attacker-controlled wallet.

• The fee is calculated based on the amount traded, with a minimum of 0.0013 SOL or 0.05% of the swap amount if it's more than 2.6 SOL.

• The malicious behavior is concealed through techniques like minification and variable renaming, making it difficult to detect.

Backend Infrastructure

• The extension communicates with a backend hosted on the domain "crypto-coplilot-dashboard.vercel[.]app" to register connected wallets, fetch points and referral data, and report user activity.

• The domain, along with "cryptocopilot[.]app," does not host any real product, indicating the illegitimate nature of the tool.

• The extension also embeds a Helius RPC API key directly in the client code, exposing sensitive credentials that could be abused.

Impact and Mitigation

• The hidden nature of the theft makes it difficult for users to detect, as the user interface only shows the legitimate swap details.

• The extension remains available on the Chrome Web Store, and Socket has submitted a takedown request to Google.

• Users are advised to exercise caution when using third-party crypto-related extensions and to carefully review transaction details before signing.

Sources

• https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html

• https://securityonline.info/hidden-theft-crypto-copilot-chrome-extension-drains-solana-wallets-on-x/

• https://www.reddit.com/r/SecOpsDaily/comments/1p75z59/chrome_extension_caught_injecting_hidden_solana/

• https://x.com/TheCyberSecHub/status/1993646721377935603

• https://www.xt.com/en/blog/post/chrome-extension-caught-injecting-hidden-solana-transfer-fees-into-raydium-swaps-the-hacker-news

• https://www.cypro.se/2025/11/26/chrome-extension-caught-injecting-hidden-solana-transfer-fees-into-raydium-swaps/