Malware Chrome extension has been secretly siphoning fees from Solana merchants for months

A Chrome extension marketed as a useful trading tool has been secretly siphoning SOL from users’ swaps since last June, injecting hidden fees into every trade and masquerading as a legitimate Solana trading assistant.

Cybersecurity firm Socket discovered malware extension Crypto Copilot during “continuous monitoring” of the Chrome Web Store, security engineer and researcher Kush Pandya said Declutter.

In an analysis of the malicious extension published on Wednesday, Pandya wrote that Crypto Copilot quietly adds an additional transfer instruction to every Solana swap, extracting a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet.

“Our AI scanner identified multiple indicators: aggressive code obfuscation, a hardcoded Solana address embedded in transaction logic, and discrepancies between the extension’s stated functionality and actual network behavior,” Pandya said. Declutteradding that “these alerts triggered a deeper manual analysis that confirmed the mechanism for extracting hidden costs.”

The research highlights risks from browser-based crypto tools, especially extensions that combine social media integration with transaction signing capabilities.

The extension has been available on the Chrome Web Store for months, with no warning to users about the undisclosed costs hidden in heavily obfuscated code, the report said.

“The charge behavior is never disclosed in the Chrome Web Store listing, and the logic implementing it is hidden in heavily obfuscated code,” Pandya said.

Each time a user swaps tokens, the extension generates the appropriate Raydium swap instruction, but discreetly initiates an additional transfer sending SOL to the attacker’s address.

Raydium is a Solana-based decentralized exchange and automated market maker, while a “Raydium swap” simply refers to exchanging one token for another through its liquidity pools.

Users who installed Crypto Copilot, believing it would streamline their Solana trading, unknowingly paid hidden fees on every trade, fees that never appeared in the extension’s marketing materials or in the Chrome Web Store listing.

The interface shows only the swap details, and wallet popups summarize the transaction, so users sign what appears to be a single swap even though both instructions are executed simultaneously on the chain.

The attacker’s wallet has received only small amounts of money so far, a sign that Crypto Copilot has not yet reached many users, rather than an indication that the exploit is low risk, the report said.

The fee mechanism scales with trade size, as for swaps below 2.6 SOL the minimum fee of 0.0013 SOL applies, and above that threshold the 0.05% percentage fee comes into effect, meaning a 100 SOL swap would earn 0.05 SOL, approximately $10 at current prices.

The cryptocopilot of the extension’s main domain[.]app is parked by domain registry GoDaddy, while the backend is on crypto-coplilot dashboard[.]vercel[.]app, specifically misspelled, only displays a blank placeholder page despite collecting wallet data, the report said.

Socket submitted a takedown request to Google’s Chrome Web Store security team, although the extension remained available at time of publication.

The platform has urged users to review every instruction before signing trades, avoid closed-source trading extensions that ask for signing permissions, and migrate assets to clean wallets if they have Crypto Copilot installed.

Malware patterns

Malware remains a growing concern for crypto users. In September, a malware strain called ModStealer was found that targeted crypto wallets in Windows, Linux, and macOS via fake recruiter ads, evading detection by major antivirus programs for almost a month.

Ledger CTO Charles Guillemet previously warned that attackers had compromised an NPM developer account, with malicious code that attempted to silently exchange crypto wallet addresses during transactions across multiple blockchains.