Solana News Today: Malicious Chrome Extension Exploits Trust to Silently Siphon Solana Funds

A malicious Google Chrome extension named Crypto Copilot has been identified as siphoning hidden fees from SolanaSOL-- (SOL) transactions, exploiting users' trust in browser-based trading tools. Cybersecurity firm Socket revealed that the extension, which markets itself as a convenience tool for executing Solana swaps directly from social media feeds, injects an additional transfer instruction into each transaction. This hidden fee—either 0.0013 SOLSOL-- or 0.05% of the trade amount—is quietly routed to an attacker-controlled wallet according to Cointelegraph. Users remain unaware of the theft, as the extension's interface displays only the swap details, masking the dual on-chain instructions that execute atomically as reported by GBHackers.

The extension leverages Solana's decentralized exchange RaydiumRAY-- to perform swaps but appends a SystemProgram.transfer command to divert funds. This method bypasses traditional wallet-draining tactics, which typically steal entire balances, by instead harvesting a recurring, smaller percentage from each trade according to Cointelegraph. Socket noted that the malicious code is obfuscated to evade detection, with the backend hosted on a domain that appears inactive and the main website parked by GoDaddy as reported by GBHackers. Despite a takedown request submitted to Google, the extension remains available on the Chrome Web Store, having been published on June 18, 2024, and reportedly used by 15 individuals as of November 2025 according to Cointelegraph.

The discovery underscores a growing trend of browser extension-based attacks in the cryptocurrency ecosystem. Similar schemes have emerged this year, including a popular wallet extension draining funds and a JupiterJUP-- DEX aggregator extension emptying Solana wallets. TechRepublic highlighted that 186 malicious crypto-themed extensions were identified in an 18-month analysis, with many remaining undetected by antivirus software for months. These threats exploit the Chrome extension store's vast user base—over 3 billion devices—to amplify their impact, often through deceptive permissions or cloned interfaces as reported by TechRepublic.

For users, the implications are severe. The stealthy nature of Crypto Copilot's fee extraction means losses accumulate over time, particularly for active traders. Socket and cybersecurity analysts urge users to verify transaction details before signing, avoid unverified extensions, and audit installed tools for excessive permissions. Additionally, reviewing wallet connection histories and enabling transaction simulations on Solana explorers can help detect anomalies.

The incident also raises broader concerns about the security of decentralized finance (DeFi) tools. While Solana's ecosystem has seen rapid growth, including high-profile upgrades like Firedancer and Alpenglow, vulnerabilities in user-facing applications persist as reported in a 2025 analysis. As institutions and retail investors increasingly adopt crypto ETFs and multi-chain wallets, the need for rigorous security audits and user education becomes critical to mitigating such risks.