Chrome extension Crypto Copilot secretly siphons off fees from Solana traders

Source: PortaldoBitcoin Original Title: Chrome extension diverts Solana traders' fees for months Original Link: https://portaldobitcoin.uol.com.br/extensao-do-chrome-desvia-taxas-de-traders-de-solana-ha-meses/ A Chrome extension, marketed as a handy trading tool, has been secretly siphoning Solana (SOL) from users' transactions since last June, injecting hidden fees into each transaction while masquerading as a legitimate Solana trading assistant.

The cybersecurity company Socket discovered the malicious extension Crypto Copilot during the “continuous monitoring” of the Chrome Web Store, as reported by engineer and security researcher Kush Pandya.

Analysis of Malicious Extension

In a detailed analysis of the malicious extension, Pandya wrote that the Crypto Copilot silently adds an extra transfer instruction to each Solana swap transaction, extracting a minimum of 0.0013 SOL or 0.05% of the transaction value to a wallet controlled by the attacker.

“Our AI scanner flagged several indicators: aggressive code obfuscation, a Solana address embedded in the transaction logic, and discrepancies between the declared functionality of the extension and the actual behavior of the network,” said Pandya, adding that “these alerts triggered a deeper manual analysis that confirmed the hidden fee extraction mechanism.”

The research points to risks in browser-based crypto tools, particularly extensions that combine integration with social media and transaction signing features.

Lack of Transparency

The extension remained available on the Chrome Web Store for months, without any warning to users about the undisclosed fees, hidden in highly obfuscated code, the report claims.

“The behavior of the rates is never disclosed on the extension page in the Chrome Web Store, and the logic that implements it is hidden in highly obfuscated code,” noted Pandya.

Every time a user swaps tokens, the extension generates the correct Raydium swap instruction, but discreetly adds an extra transfer directing SOL to the attacker's address.

Raydium is a decentralized exchange and automated market maker based on the Solana cryptocurrency, while a “Raydium swap” simply refers to the exchange of one token for another through its liquidity pools.

Impact on Users

Users who installed Crypto Copilot, believing it would simplify their trading with Solana, have unknowingly been paying hidden fees with every swap, fees that never appeared in the marketing materials of the extension or in the listing on the Chrome Web Store.

The interface only shows the details of the exchange, and wallet pop-ups summarize the transaction, so users sign what appears to be a single exchange, even though both instructions are executed simultaneously on the blockchain.

The attacker's wallet has received only small amounts so far, a sign that Crypto Copilot has not yet reached many users, and not an indication that the vulnerability is of low risk, as reported.

Fee Structure

The fee mechanism is proportional to the size of the transaction. For swaps below 2.6 SOL, a minimum fee of 0.0013 SOL applies, and above this limit, a percentage fee of 0.05% comes into effect. This means that a swap of 100 SOL would charge 0.05 SOL, approximately $10 at current prices.

The main domain of the extension, cryptocopilot.app, is registered with GoDaddy, while the backend displays only a blank page, despite collecting wallet data, according to the report.

Security Recommendations

The Socket has sent a removal request to the security team of the Google Chrome Web Store. The platform recommends that users:

• Review each instruction before signing transactions
• Avoid closed-source trading extensions that request signature permissions
• Migrate your assets to clean wallets if you have installed Crypto Copilot

Context: Malware Patterns in Cryptography

Malware continues to be a growing concern for cryptocurrency users. In September, a malware variant called ModStealer was discovered targeting cryptocurrency wallets on Windows, Linux, and macOS systems through fake job recruitment advertisements, managing to evade detection by major antivirus software for nearly a month.

The technology director of cybersecurity companies had already warned that intruders had compromised developers' accounts, with malicious code trying to silently swap cryptocurrency wallet addresses during transactions across multiple blockchains.