A malicious Google Chrome browser extension has been discovered that allows users to trade on Solana, while covertly skimming a fee from every swap into the creator’s wallet.
According to a report by cybersecurity company Socket, the Google Chrome extension enables users to trade on Solana (SOL) directly from their X social media feed. Unlike typical wallet-draining malware that aims to steal an entire balance, this extension, named Crypto Copilot, "injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade," Socket found.
On the backend, Crypto Copilot utilizes the decentralized exchange Raydium to execute swaps for the user. However, it appends a second instruction that transfers SOL from the user to the attacker. The user interface only displays the swap details, and wallet confirmation screens "summarize the transaction without surfacing individual instructions."
"Users sign what appears to be a single swap, but both instructions execute atomically on-chain," Socket stated.
A Long-Lived Operation
Socket noted that it submitted a takedown request for the extension to the Chrome Web Store security team. The malicious extension has been active for a considerable period, having been published on June 18, 2024. However, the store reports that it currently has only 15 users.
Crypto Copilot is marketed as a convenience tool, offering Solana traders the ability to execute swaps directly from Twitter. It promises "allowing you to act on trading opportunities instantly without the need for switching between apps or platforms."
The Latest in a Series of Malicious Google Chrome Extensions
Google Chrome's extensive user base and its extensible design have long made its extension ecosystem a prime target for crypto-focused scams. Earlier this month, Socket issued a warning that the fourth-most-popular crypto wallet extension in the Chrome Web Store was draining user funds. In late August, decentralized exchange aggregator Jupiter announced it had identified another malicious Chrome extension that was emptying Solana wallets.
In June 2024, a Chinese trader reportedly lost $1 million after installing a Chrome plugin called Aggr. This extension was designed to steal browser cookies, enabling it to hijack accounts, including access to the trader’s Binance account.