Browser Malware Exposed Solana Users, Skimming Every Swap for Months

A malicious Chrome extension masquerading as a Solana trading assistant has been quietly siphoning fees from user swaps for months, exploiting how wallet interfaces bundle transactions.

The extension, Crypto Copilot, had been available on the Chrome Web Store since June, targeting traders on the Solana DEX Raydium. It injected a hidden second instruction into every swap, redirecting either 0.0013 SOL or 0.05% of the trade value to an attacker-controlled wallet.

The attack leveraged atomic transaction execution: wallet interfaces summarize multiple instructions as a single swap, so users unknowingly authorized both the intended trade and the hidden transfer. Cybersecurity firm Socket, which discovered the exploit, likened it to confirming an order that secretly adds extra charges without notice.

On-chain data suggests limited adoption so far, though the exploit scales with larger trades. Swaps above 2.6 SOL trigger the 0.05% fee, meaning a 100 SOL trade would lose 0.05 SOL (~$10 at current prices).

Further signs indicate a rushed infrastructure: the main domain, cryptocopilot.app, is parked on GoDaddy, and the backend dashboard at crypto-coplilot-dashboard.vercel.app (misspelled) returns a blank page while collecting wallet metadata.

Socket submitted a takedown request to Google, though the extension remained live at the time of reporting. Users are advised to avoid closed-source extensions requesting signing privileges and to transfer assets to fresh wallets if they used Crypto Copilot.