A stealthy browser extension labeled ‘Crypto Copilot’ was discovered siphoning transaction fees from users’ Solana swaps for months before being identified by cybersecurity firm Socket. The extension, available on the Chrome Web Store since June 2025, posed as a trading assistant for Raydium users but executed hidden transfer instructions alongside legitimate swap transactions.
Upon installation, ‘Crypto Copilot’ injected an additional instruction into each DEX swap bundle, diverting either 0.0013 SOL or 0.05% of the swap amount to an attacker-controlled wallet. By leveraging atomic transaction execution in Solana, the extension bypassed wallet interface warnings, causing unsuspecting users to authorize both intended and malicious transfers simultaneously.
On-chain analysis revealed a small number of victims so far, with minimal cumulative loss. However, the exploit scales linearly with trade volume, potentially siphoning substantive amounts from high-volume traders. For example, a 100 SOL swap would reroute 0.05 SOL, equivalent to roughly $10 at prevailing exchange rates, per transaction.
Security experts noted that the extension’s backend infrastructure lacked operational maturity. The primary domain, cryptocopilot.app, was parked on a generic hosting service, while the dashboard endpoint contained typographical errors, returning blank pages. Such oversights suggest the exploit originated from amateur threat actors or a freelance effort rather than a sophisticated state-aligned campaign.
Chrome Web Store procedures allowed the extension to remain live despite automated review mechanisms. Socket filed a formal takedown request, but at the time of reporting, removal was pending. Users are advised to audit installed extensions, revoke signing privileges, and migrate funds to new wallets if they engaged with the compromised tool.
Crypto exchange platforms and wallet providers have been urged to implement extension whitelisting controls, multi-signature approval workflows, and real-time transaction decoding to detect appended instructions. Industry stakeholders are evaluating enhanced heuristics to flag composite transactions that deviate from typical swap patterns.
Notably, the incident underscores broader risks inherent in granting browser extensions signing privileges, as closed-source code may conceal malicious logic. Community-driven audits, open-source tooling, and decentralized signing protocols have been proposed as mitigation strategies to protect on-chain asset flows.
As DeFi activity grows, the attack highlights the necessity for rigorous security standards at the user interface layer. Developers and custodians must collaborate to balance convenience features with robust safety checks, ensuring that user approvals accurately reflect discrete on-chain instructions. Without such measures, similar fee siphoning or fund redirection exploits may proliferate across platforms.
Researchers continue to monitor the attacker wallet for further transactions and coordinate with law enforcement agencies to trace stolen funds. The Solana community, exchange operators, and cybersecurity firms are working together to share threat intelligence and reinforce best practices for secure browser interactions in decentralized trading environments.
Comments (0)