A deceptive Chrome extension secretly funneled fees from Solana (SOL) trades to an attacker-controlled wallet, exploiting users for months under the guise of a legitimate trading assistant.
Quick Summary – TLDR:
- A malicious Chrome extension called Crypto Copilot covertly skimmed fees from every Solana swap, rerouting them to a hardcoded wallet.
- The malware embedded hidden instructions in transactions, invisible to most users.
- Despite appearing trustworthy, it exfiltrated wallet data and mimicked legitimate trading tools.
- Cybersecurity firm Socket has reported the extension to Google, but it remained live during investigation.
What Happened?
The malicious extension, Crypto Copilot, was publicly available on the Chrome Web Store since June 2024, marketed as a productivity tool for Solana traders. It offered seamless integration with Phantom and Solflare wallets, support for one-click swaps, and displayed decentralized exchange (DEX) data. But beneath its slick interface, it was quietly siphoning crypto fees from user trades.
solana traders getting robbed silently
— BRAXXY (@CryptoBraxxy) November 27, 2025
A Chrome extension named ” Crypto Copilot ” was secretly adding extra instructions to every swap and draining small amounts of SOL from users for months If you ever used it check your tx history now this is not a bug this is straight up… pic.twitter.com/l1YdWqyk7x
A Sophisticated Sleight of Hand
Crypto Copilot used a particularly sneaky technique. Instead of draining an entire wallet like traditional crypto malware, it injected a second, invisible instruction into every Raydium swap. This instruction transferred either 0.0013 SOL or 0.05% of the transaction amount to an attacker’s wallet.
- All transactions looked normal to the user.
- The Chrome extension summarized swap details, concealing the malicious component.
- Users signed off on these bundled transactions without realizing the extra instruction.
- Everything executed atomically on-chain, making it difficult to detect.
Socket described it this way: “Users sign what appears to be a single swap, but both instructions execute atomically on-chain.” This means both the legitimate swap and the stealthy siphon occurred together without alerting the user.
Stolen Metadata and Misleading Design
Beyond financial theft, the extension also exfiltrated public wallet keys and metadata to attacker-run servers. Socket’s analysts uncovered obfuscated JavaScript within the extension code that tampered with transaction logic. Despite the suspicious backend, including a broken dashboard and typos in domains like crypto-coplilot-dashboard.vercel.app, the extension still appeared legitimate on the Chrome Web Store.
It even claimed to allow users to trade directly from their X (formerly Twitter) feeds, promoting speed and convenience.
Broader Pattern of Browser-Based Crypto Attacks
Crypto Copilot is just the latest in a growing trend of supply-chain attacks targeting browser wallet users. These attacks exploit the trust users place in browser extensions, especially those related to cryptocurrency.
- In June 2024, a Chinese trader lost $1 million to a malicious Chrome plugin called Aggr.
- Earlier this year, Jupiter reported another Chrome extension draining Solana wallets.
- Socket previously flagged a top crypto wallet extension on the Chrome Web Store that actively drained funds.
These repeated incidents show the urgent need for vigilance among crypto users relying on browser-based wallets.
What Should Users Do?
Socket has submitted a formal takedown request to Google, but at the time of its report, Crypto Copilot was still live on the Chrome Store. The extension had around 15 users at last count, suggesting limited adoption so far. However, its method of skimming based on trade size makes it highly scalable.
Security experts advise the following:
- Audit all installed Chrome extensions.
- Avoid closed-source tools that request signing privileges.
- Manually inspect transactions before approving them.
- Move funds to hardware wallets when possible.
- If Crypto Copilot was used, migrate assets to a fresh wallet immediately.
SQ Magazine Takeaway
I think this is a wake-up call for anyone using browser extensions in the crypto world. The convenience of one-click trading tools is tempting, but it comes with serious risks. Crypto Copilot was built to look helpful, but underneath, it was bleeding users dry with every swap. If you’re not triple-checking every extension or transaction, you’re gambling with your funds. Let this be a reminder to trust only audited tools and to prioritize security over speed.
