Malware Chrome Extension Secretly Siphoned Fees From Solana Traders for Months
A Chrome extension named Crypto Copilot, promoted as a Solana trading tool, has been secretly siphoning SOL from user transactions since June 2025 by injecting hidden fees into every Raydium swap. Cybersecurity firm Socket identified the malware through AI-driven monitoring, uncovering code obfuscation, an embedded attacker wallet address, and network behavior discrepancies. Crypto Copilot adds an undisclosed extra transfer instruction to each swap, extracting either a minimum of 0.0013 SOL or 0.05% of the trade amount, depending on swap size, and sends the fees to an attacker-controlled wallet. Users see no indication of this deduction in the extension or their wallet pop-ups, as the malicious logic is deeply concealed. The exploit’s reach is currently limited, but the extension remained available in the Chrome Web Store at the time of reporting. Socket has notified Google and advised users to stop using the extension, review every transaction instruction, avoid closed-source tools requesting signing rights, and transfer funds to new wallets if affected. This incident highlights ongoing malware threats in crypto, especially via browser-based trading extensions.
