Cybersecurity firm Socket has revealed that a malicious Chrome extension called "Crypto Copilot" is stealing funds by adding hidden fees to users' Solana transactions.
Released to the Chrome Web Store on June 18, 2024, the extension advertises itself as a tool that "lets you instantly take action from your X stream," but it runs an additional transfer process in the background that users do not notice.
According to a technical review by Socket's Threat Research Team, the extension adds an additional transfer of 0.0013 SOL, or 0.05% of the transaction amount, to each swap transaction. This amount is then directed to the attacker's wallet, which is secured within the code. Furthermore, this fee structure is not specified on the Chrome Web Store page, and the relevant code is heavily obfuscated.
After generating a standard swap instruction on Raydium, Crypto Copilot adds a second, hidden instruction. This hidden instruction transfers SOL to the address Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7. While the interface only displays swap details, and wallet confirmation screens often do not display individual instructions, users frequently mistake the transaction for a single swap, leading them to sign. However, both instructions execute simultaneously on the chain.
Socket has submitted a formal removal request to the Google Chrome Web Store security team, stating that the malicious extension is still live.