A Silent Attack Hidden Inside Every Swap
A seemingly harmless Chrome extension marketed as a Solana trading helper has been exposed for quietly draining users’ wallets, skimming SOL through hidden transfer instructions injected into every swap. The malicious add-on, called Crypto Copilot, operated undetected for months before cybersecurity researchers uncovered the scheme.
Cybersecurity firm Socket uncovered the operation during its routine Chrome Web Store monitoring. Researcher Kush Pandya explained that the extension used aggressively obfuscated code and embedded a hard-coded Solana wallet address to secretly extract fees from users. Each time someone executed a swap through Raydium, Crypto Copilot generated the correct instructio - then quietly attached a second, invisible transfer.
This hidden instruction siphoned at least 0.0013 SOL, or 0.05% of the transaction amount, straight into the attacker’s wallet. Pandya said the extension’s behavior was flagged by their AI systems due to “discrepancies between stated functionality and actual network behavior” prompting a deeper manual investigation that confirmed the malicious logic.
🚨 Socket researchers uncovered a malicious Chrome extension that injects hidden #SOL transfers into Raydium swaps, quietly siphoning fees to an attacker wallet.
— Socket (@SocketSecurity) November 25, 2025
Full analysis → https://t.co/bdGOXViJpA #Solana
🚨 Socket researchers uncovered a malicious Chrome extension that injects hidden #SOL transfers into Raydium swaps, quietly siphoning fees to an attacker wallet.
— Socket (@SocketSecurity) November 25, 2025
Full analysis → https://t.co/bdGOXViJpA #Solana
Users Signed Transactions Without Realizing the Theft
The scam worked because the extension showed users only a single swap instruction in the interface. Wallet pop-ups also looked normal, giving no sign that a second hidden instruction would run in parallel on-chain. Crypto Copilot’s Chrome listing made no mention of extra fees or added transfers, allowing it to blend in as a harmless utility.
The extension remained available on the Chrome Web Store for months, and although attacker earnings remain small, researchers warn that the low amount likely reflects limited user adoption, not low threat.
How the Fee Mechanism Scaled With Trades
The malware was designed to profit more from big traders. Swaps under 2.6 SOL triggered the minimum 0.0013 SOL skim. Above that amount, the attacker took 0.05% of the swap - meaning a 100 SOL trade quietly paid 0.05 SOL to the attacker, around $10 at current prices.
Researchers found that the attacker operated through a domain hosted by GoDaddy and a misspelled Vercel backend that showed nothing but a blank dashboard, while silently gathering wallet data.
Researchers Push for Removal as Users Warned to Act
Socket immediately submitted a takedown request to Google, though the extension remained live when the report was published. The firm urged users to take defensive steps: review every transaction instruction, avoid closed-source browser extensions requesting signing permissions, and migrate assets to clean wallets if they ever installed Crypto Copilot.
Malware Threats Across Crypto Keep Growing
The Crypto Copilot case is just one in a string of recent malware incidents hitting the crypto world. Earlier this year, the ModStealer strain targeted wallets across Windows, Linux, and macOS using fake recruiter messages, while attackers also compromised an NPM package to inject wallet-swapping code into unsuspecting developers’ tools. Browser extensions, researchers warn, are becoming one of the easiest attack vectors for draining assets.
