A malicious Chrome extension disguised as a Solana trading assistant has been secretly siphoning fees from user swaps for months.
The extension, Crypto Copilot, has been on the Chrome Web Store since June, targeting traders on the Solana DEX Raydium. It added a hidden instruction to every swap, redirecting either 0.0013 SOL or 0.05% of the trade to an attacker-controlled wallet.
The attack exploited atomic transactions: wallet interfaces bundle multiple instructions into a single swap, meaning users unknowingly authorized both the intended trade and the hidden transfer. Cybersecurity firm Socket, which uncovered the scheme, compared it to confirming an order that secretly adds extra charges.
On-chain data shows limited adoption, but trades above 2.6 SOL trigger the 0.05% fee. The extension’s infrastructure appeared rushed, with a parked domain (cryptocopilot.app) and a backend dashboard (crypto-coplilot-dashboard.vercel.app) collecting wallet data while returning a blank page.
Socket has requested Google remove the extension, which remained live at the time of reporting. Users are advised to avoid closed-source extensions requesting signing privileges and move assets to new wallets if they interacted with Crypto Copilot.
