365Crypto
A malicious Chrome extension, Crypto Copilot, lets people trade Solana from X (Twitter) but secretly steals part of every swap.
Cybersecurity firm Socket found that Crypto Copilot adds a hidden transfer to every Solana trade. Instead of emptying wallets, it steals 0.0013 SOL or 0.05% per swap.
It uses Raydium to perform trades but secretly adds an instruction transferring SOL to the attacker. Users see only the swap, and wallet confirmations hide these extra instructions.
“Users sign what looks like a single swap, but both instructions execute atomically on-chain,” Socket explained.
The extension has been online since June 18, 2024, with about 15 users. It markets itself as a convenience tool for instant Solana swaps on Twitter, but it quietly siphons funds.
Malicious Chrome extensions targeting crypto are increasing. Earlier this month, Socket warned about another wallet extension stealing funds. In August, Jupiter found a plugin emptying Solana wallets. In June 2024, a Chinese trader lost $1 million to a plugin stealing browser cookies and Binance access.
