Solana News Today: Chrome Store's Oversight Lets Malicious Extension Drain Solana Users

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Thursday, Nov 27, 2025 1:56 pm ET2min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
SOL
--
RAY
--
JUP
--
Aime RobotAime Summary

- Socket researchers discovered a malicious Chrome extension, Crypto Copilot, secretly stealing 0.05% of

Solana
trades via hidden transfer instructions since June 2024.

- The tool exfiltrates wallet data to a backend server and uses obfuscated code to evade detection, highlighting privacy risks and stealthy crypto theft methods.

- Despite limited user base (15 users), the extension remained listed on Chrome Web Store for over a year, exposing weaknesses in browser extension moderation processes.

- Experts warn this reflects a growing trend of crypto scams exploiting trusted interfaces, urging users to audit browser permissions and advocate for stricter DeFi ecosystem oversight.

A new threat has emerged in the

Solana
(SOL) trading ecosystem, with cybersecurity researchers uncovering a malicious Chrome extension that siphons funds from users during transactions. The extension, dubbed Crypto Copilot, was identified by Socket, a cybersecurity firm, as secretly appending hidden transfer instructions to every Solana swap,
stealing a minimum of 0.0013 SOL
or 0.05% of the trade amount to an attacker-controlled wallet. The tool,
marketed as a convenience for executing trades directly from social media platforms
like X (formerly Twitter), has been operational since June 2024 and remains listed on the Chrome Web Store despite a takedown request submitted by researchers.

The attack mechanism is sophisticated. When users initiate a swap via Crypto Copilot, the extension constructs a legitimate

Raydium
swap instruction but silently adds a second instruction to transfer a fraction of the traded
SOL
to the attacker's address: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7. The user interface displays only the swap details, creating a false impression of legitimacy. Wallet confirmation screens typically summarize transactions without highlighting the hidden instructions, leaving users unaware that their funds are being drained. This method differs from traditional wallet-draining malware, which often targets entire balances, by instead implementing a stealthier, recurring fee structure.

The implications extend beyond individual losses.

Socket highlighted that the extension exfiltrates users' connected wallet public keys
to a backend server, crypto[.]copilot-dashboard[.]vercel[.]app/api/users, raising privacy concerns. Additionally, the extension's code includes obfuscated logic and embedded Helius RPC API credentials, further complicating detection efforts. The attack underscores a broader trend of malicious Chrome extensions targeting crypto users,
with researchers previously identifying 186 such tools
over 18 months, collectively siphoning over $1 million.

Experts warn that the threat is part of an evolving landscape of crypto scams.

Earlier this year, a similar extension named "Aggr"
stole $1 million from a single victim by manipulating network requests. The rise of these tools reflects a shift in tactics by cybercriminals, who are now exploiting trusted interfaces rather than relying on phishing or fake websites. "Criminals are infiltrating the very tools users trust most,"
Socket noted in its analysis
.

The discovery also highlights vulnerabilities in the Chrome Web Store's moderation process. Despite having only 15 users at the time of reporting, Crypto Copilot remained available for over a year, demonstrating how malicious extensions can evade detection even when their impact is limited.

Cybersecuritynews.com emphasized
that the extension's marketing materials omitted any mention of hidden fees or data collection, preying on users seeking convenience.

For now, users are advised to audit their installed Chrome extensions, verify URLs before connecting wallets, and avoid granting excessive permissions to browser tools. The broader crypto community is also calling for stricter oversight of extension ecosystems, particularly as decentralized finance (DeFi) platforms like Raydium and

Jupiter
become increasingly popular. As Socket researchers stressed, "Knowing the right details to remember is really important in complement to just having a longer context window", a principle that applies equally to both AI models and user vigilance in securing digital assets.