Malware Chrome Extension Secretly Siphoned Fees From Solana Traders for Months

A Chrome extension marketed as a convenient trading tool has been secretly siphoning SOL from users’ swaps since last June, injecting hidden fees into every transaction while masquerading as a legitimate Solana trading assistant.

Cybersecurity firm Socket discovered malware extension Crypto Copilot during “continuous monitoring” of the Chrome Web Store, security engineer and researcher Kush Pandya told Decrypt.

In an analysis of the malicious extension published Wednesday, Pandya wrote that Crypto Copilot quietly appends an extra transfer instruction to every Solana swap, extracting a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet.

“Our AI scanner flagged multiple indicators: aggressive code obfuscation, a hardcoded Solana address embedded in transaction logic, and discrepancies between the extension’s stated functionality and actual network behavior,” Pandya told Decrypt, adding that “These alerts triggered deeper manual analysis that confirmed the hidden fee extraction mechanism.”

The research points to risks in browser-based crypto tools, particularly extensions that combine social media integration with transaction signing capabilities.

The extension has remained available on the Chrome Web Store for months, with no warning to users about the undisclosed fees buried in heavily obfuscated code, the report says.

“The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code,” Pandya noted.

Each time a user swaps tokens, the extension generates the proper Raydium swap instruction but discreetly tacks on an extra transfer directing SOL to the attacker’s address.

Raydium is a Solana-based decentralized exchange and automated market maker, whereas a “Raydium swap” simply refers to exchanging one token for another through its liquidity pools.

Users who installed Crypto Copilot, believing it would streamline their Solana trading, have unknowingly been paying hidden fees with every swap, fees that never appeared in the extension’s marketing materials or Chrome Web Store listing.

The interface shows only the swap details, and wallet pop-ups summarize the transaction, so users sign what looks like a single swap even though both instructions execute simultaneously on-chain.

The attacker’s wallet has received only small amounts to date, a sign that Crypto Copilot hasn’t reached many users yet, rather than an indication that the exploit is low-risk, as per the report.

The fee mechanism scales with trade size, as for swaps under 2.6 SOL, the minimum 0.0013 SOL fee applies, and above that threshold, the 0.05% percentage fee takes effect, meaning a 100 SOL swap would extract 0.05 SOL, roughly $10 at current prices.

The extension’s main domain cryptocopilot[.]app is parked by domain registry GoDaddy, while the backend at crypto-coplilot-dashboard[.]vercel[.]app, notably misspelled, displays only a blank placeholder page despite collecting wallet data, the report says.



Socket has submitted a takedown request to Google’s Chrome Web Store security team, though the extension remained available at the time of publication.

The platform has urged users to review each instruction before signing transactions, avoid closed-source trading extensions requesting signing permissions, and migrate assets to clean wallets if they installed Crypto Copilot.

Malware patterns

Malware remains a growing concern for crypto users. In September, a malware strain called ModStealer was found targeting crypto wallets across Windows, Linux, and macOS through fake job recruiter ads, evading detection by major antivirus engines for almost a month.

Ledger CTO Charles Guillemet has previously warned that attackers had compromised an NPM developer account, with malicious code attempting to silently swap crypto wallet addresses during transactions across multiple blockchains.