A newly exposed malicious Chrome extension called Crypto Copilot has been injecting hidden transfer instructions into Solana (SOL) swap transactions. It quietly siphons tiny amounts of SOL to an attacker-controlled wallet every time users trade. The threat, disclosed this week by security researchers at Socket, has circulated across multiple crypto news outlets and security blogs. This happened after investigators detailed how the extension masks the extra transfer inside otherwise legitimate Raydium swaps.
According to Socket’s analysis, the extension appends a concealed transfer instruction to each Raydium swap. It routes either a flat minimum amount (about 0.0013 SOL) or roughly 0.05% of the swap value to a hard-coded wallet. These small sums compound with frequent trading and can go unnoticed. This is because wallet UIs summarize multi-instruction transactions as a single “swap.” The extension was listed on the Chrome Web Store in mid-2024. It continued operating until researchers flagged it this month.
Researchers warn that the extension was marketed as a convenience tool. It lets users trade directly from their X (Twitter) feed while showing price data and one-click execution. However, behind the polished interface, its code intercepts the swap flow. It injects the secret transfer before the transaction is submitted. This means users who approve the summarized swap unknowingly authorize the malicious extra instruction as part of the same atomic transaction.
Immediate steps for impacted users: uninstall the Crypto Copilot extension from Chrome, revoke site and extension permissions in your browser settings, and review recent wallet activity for unexpected transfers. Security teams also recommend revoking any token approvals or program grants associated with the extension. Moreover, consider migrating funds from wallets that show suspicious transactions. If you used the extension, consider moving remaining funds to a fresh wallet and re-securing seed phrases.
This incident highlights an ongoing risk in the browser extension ecosystem for crypto tooling. Convenience-focused add-ons can be weaponized to execute stealthy, low-and-slow thefts that evade casual detection. Therefore, security experts urge traders to rely on audited tools, scrutinize extension permissions, and inspect the full transaction payload in their wallet (not just the summarized UI) before signing.
FAQs
Q: Is Crypto Copilot still on the Chrome Web Store?
A: At the time of reporting, researchers found the extension listed since mid-2024. Availability can change rapidly, so check official Chrome Web Store notices and the Socket advisory for updates.
Q: How much can I lose per trade?
A: Socket found the extension siphons at least 0.0013 SOL or about 0.05% per swap. This is a small amount per trade but meaningful over many transactions.
Q: What immediate actions should I take?
A: Uninstall the extension, revoke approvals, audit recent transactions, and move funds to a new wallet if you spot suspicious transfers.
Q: How can I avoid similar scams?
A: Use only audited extensions, limit browser wallet use, verify extension developer details, and inspect full transaction instructions in your wallet before signing.
