The Chrome Solana extension ‘Crypto Copilot’ stealthily diverts funds from users in swaps, highlighting the security risks of browser crypto security.
Summary
- The Crypto Copilot Chrome extension integrates hidden transfer instructions into Solana swap transactions
- Cybersecurity firm Socket has discovered secret money diversions to the attacker’s wallet via hidden commands
- Incident highlights vulnerabilities in browser-based crypto tools and the need for verification of user transactions.
A Chrome browser extension designed for cryptocurrency trading in Solana secretly diverts funds from users by embedding hidden transfer instructions into exchange transactions, according to a report from cybersecurity firm Socket’s Threat Research Team.
The extension, called Crypto Copilot, allows users to trade SOL (SOL) tokens directly from X, formerly known as Twitter, while stealthily redirecting a portion of each transaction to an attacker-controlled wallet, Socket reported. Each swap performed through the extension contains a hidden instruction that transfers 0.05 percent of the transaction value, or a minimum of 0.0013 SOL, to a hardcoded wallet address.
Crypto Copilot, published on the Chrome Web Store in mid-2024, markets itself as a tool for direct Solana trading, the report said. Users only see the primary exchange transaction on confirmation screens, which summarize the transaction without releasing the additional transfer instruction, Socket said.
The extension uses obfuscation techniques including code minimization and variable renaming to hide its malicious behavior, the cybersecurity firm said. The software communicates with a backend server hosted at crypto-coplilot-dashboard.vercel.app, where it registers connected wallets, tracks user activity and reports referral data, the report said.
A second domain associated with the extension, cryptocopilot.app, remains parked and non-functional. Socket noted that the lack of an operational dashboard runs counter to legitimate trading platforms.
Crypto Copilot uses Raydium, an automated market maker on the Solana blockchain, to execute swaps. The extension adds a hidden SystemProgram.transfer instruction to each transaction, completing atomic on-chain transfers that divert funds while users approve a seemingly single transaction, the report said.
Solana browser extension Crypto Copilot investigated by Socket
While installation numbers remain low, Socket warned that cumulative losses pose significant risks for frequent traders. The company is increasingly able to divert funds undetected, illustrating the broader security threats posed by browser-based cryptocurrency tools, the company said.
According to industry reports, previous incidents involved malicious Chrome and Firefox extensions targeting cryptocurrency wallets including MetaMask, Phantom and Coinbase.
The incident highlights vulnerabilities in browser-based cryptocurrency security and the importance of transaction verification before approval, Socket said declared. As browser-based tools increasingly integrate cryptocurrency trading functionality, improved monitoring and oversight of Chrome’s extension ecosystem may be necessary to protect decentralized finance users, the report concludes.
Solana traders are advised to verify the legitimacy of the extension, review transaction instructions in detail and monitor updates from cybersecurity researchers, Socket said.
