TLDR
- A Chrome extension called “Crypto Copilot” has been stealing funds from Solana traders since June 2024 by secretly adding hidden transfer instructions to their trades.
- The malware skims either 0.0013 SOL or 0.05% from each swap on Raydium DEX, whichever amount is greater, sending it to an attacker’s wallet.
- The extension hides the theft using obfuscated code that bundles a legitimate swap with an invisible second instruction that wallet interfaces don’t clearly display to users.
- Socket cybersecurity firm discovered the malware and submitted a takedown request to Google, but the extension remained available on the Chrome Web Store at time of reporting.
- Users who installed Crypto Copilot are advised to move their assets to new wallets immediately, as the extension also sends wallet data to a suspicious backend server.
A Chrome extension marketed as a Solana trading tool has been quietly draining funds from users for five months. The extension, named Crypto Copilot, was discovered by cybersecurity firm Socket this week.
The malicious software has been available on the Chrome Web Store since June 2024. It presented itself as a convenience tool for traders using Raydium, a popular Solana decentralized exchange.
A malicious Chrome extension was caught injecting hidden SOL transfers into Raydium swaps.
The add-on quietly adds an extra SystemProgram.transfer call to every Solana trade, sending a small amount to a hard-coded attacker wallet.
The UI shows only the legitimate swap, so users… pic.twitter.com/ByoD9m5m6H
— Web3 Antivirus (@web3_antivirus) November 27, 2025
Socket’s research team found that the extension secretly modifies every transaction users make. When traders execute a swap on Raydium, the extension adds a hidden second instruction to the transaction.
This hidden instruction transfers funds to a wallet controlled by the attacker. The amount stolen is either 0.0013 SOL or 0.05% of the trade value, whichever is larger.
The theft mechanism works because wallet interfaces show users a simplified summary of transactions. When users approve what looks like a standard swap, they unknowingly sign off on two instructions bundled together.
The malicious code is heavily obfuscated through variable renaming and JavaScript minification. The attacker’s wallet address is buried deep inside the extension’s code under an innocuous variable name.
For trades larger than 2.6 SOL, the extension takes the full 0.05% cut. A 100 SOL swap would lose 0.05 SOL, worth approximately $10 at current prices.
Infrastructure and Backend Operations
Socket researchers discovered that Crypto Copilot connects to a backend server at crypto-coplilot-dashboard.vercel.app. The domain name contains a misspelling and displays only a blank page.
Despite the empty website, the extension regularly transmits data to this server. It sends connected wallet identifiers and user activity information.
The extension also uses a hardcoded Helius API key for transaction simulation and RPC calls. A separate domain, cryptocopilot.app, remains parked on GoDaddy.
Researchers noted the absence of documentation or functioning dashboard raises red flags. This infrastructure pattern matches other malicious browser extensions rather than legitimate trading products.
On-chain analysis shows limited funds collected so far in the attacker’s wallet. Investigators believe this reflects low user adoption rather than proof of safety.
Browser Extension Threats in 2025
The discovery comes as browser-based crypto attacks continue to rise. In July 2025, over 40 malicious Firefox extensions impersonated major wallet providers including MetaMask, Coinbase, Phantom, OKX, and Trust Wallet.
Those extensions stole wallet credentials directly from browsers and sent them to attacker servers. Major exchanges like OKX issued public warnings and filed complaints after discovering fake versions of their official tools.
Browser extensions have become one of the most common attack vectors this year. Wallet-related breaches accounted for $1.7 billion of the $2.2 billion stolen in the first half of 2025, according to CertiK data.
Phishing incidents added another $410 million to total losses. Despite the rise in extension attacks, overall crypto hacks briefly declined in October.
Current Status and User Warnings
Socket submitted a formal takedown request to Google for the Crypto Copilot extension. The extension remained available on the Chrome Web Store at the time of reporting.
Socket warns users to avoid closed-source extensions that request transaction signing privileges. Anyone who installed or used Crypto Copilot should move their assets to fresh wallets immediately.
PeckShield data shows October 2025 recorded just $18.18 million stolen across 15 incidents, the lowest monthly total of the year. The Crypto Copilot extension continues to operate as investigators work with Google on removal.
