Malicious ‘Crypto Copilot’ Chrome Extension Steals Hidden Fee from Solana Swaps

by ddos · November 27, 2025

A malicious extension has been discovered in the Chrome catalog — an add-on that, without the owner’s knowledge, inserts a hidden fee into Solana transactions and diverts it to a wallet controlled by the attacker. Users conducting swaps through the Raydium decentralized exchange are particularly at risk.

The extension, titled Crypto Copilot, appeared in the Chrome Web Store on 7 May 2024. Its listed author is a user under the handle “sjclark76.” The description promises the ability to trade cryptocurrency directly within X, offering “real-time analytics” and “convenient trade execution.” At the time the issue was identified, the extension had 12 installations — and remained available for download.

Experts at Socket determined that behind the interface masquerading as a legitimate trading tool lies a mechanism that injects an additional transfer into every Solana swap. During a Raydium exchange, the extension appends a call to the service method SystemProgram.transfer, causing the signed transaction to include an extra SOL transfer to a hard-coded address controlled by the attacker.

The fee is calculated automatically based on the size of the swap. A minimum of 0.0013 SOL is siphoned, while for transactions exceeding 2.6 SOL, the extension inserts a transfer of 2.6 SOL plus 0.05% of the swap amount. This fee is never displayed in the extension’s interface — the user sees only the parameters of the main Raydium transaction, making the manipulation nearly invisible without a meticulous inspection of each instruction before signing.

To conceal its behavior, the add-on employs heavy code obfuscation, including minification and aggressive variable renaming. Simultaneously, it communicates with a backend hosted at crypto-coplilot-dashboard.vercel[.]app, transmitting information about connected wallets, referral activity, and accumulated “points.” A related domain, cryptocopilot[.]app, contains no real product — functioning solely as window dressing to create the appearance of a legitimate service.

Crypto Copilot further enhances its credibility by integrating with reputable platforms such as DexScreener and Helius RPC. Taken together, the project’s infrastructure is designed to pass Chrome Web Store moderation and imitate a lawful crypto-trading tool, all while quietly diverting a portion of user funds to the extension’s creator.

The Crypto Copilot incident starkly illustrates how even a seemingly innocuous browser extension can transform routine transactions into a source of hidden financial loss. Any tool granted access to wallets and transaction flows demands scrutiny — and trust in a browser-store listing alone can no longer serve as a safeguard.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal