Solana News Today: Malicious Chrome Extension Exploits Trust to Silently Siphon Solana Funds

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Thursday, Nov 27, 2025 4:50 pm ET1min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- A malicious Chrome extension, Crypto Copilot, secretly siphons 0.0013 SOL or 0.05% from

Solana
transactions via hidden transfer instructions.

- The extension exploits Raydium DEX and obfuscated code to bypass detection, routing fees to attacker-controlled wallets without user awareness.

- Despite a takedown request, the extension remains available on Chrome Web Store, highlighting growing browser-based crypto threats affecting 15 users as of 2025.

- Cybersecurity experts warn of rising malicious crypto extensions, urging users to audit tools and verify transactions to mitigate stealthy, cumulative losses.

A malicious Google Chrome extension named Crypto Copilot has been identified as siphoning hidden fees from

Solana
(SOL) transactions, exploiting users' trust in browser-based trading tools. Cybersecurity firm Socket revealed that the extension, which markets itself as a convenience tool for executing Solana swaps directly from social media feeds, injects an additional transfer instruction into each transaction. This hidden fee—either 0.0013
SOL
or 0.05% of the trade amount—is quietly routed to an attacker-controlled wallet
according to Cointelegraph
. Users remain unaware of the theft, as the extension's interface displays only the swap details, masking the dual on-chain instructions that execute atomically
as reported by GBHackers
.

The extension leverages Solana's decentralized exchange

Raydium
to perform swaps but appends a SystemProgram.transfer command to divert funds. This method bypasses traditional wallet-draining tactics, which typically steal entire balances, by instead harvesting a recurring, smaller percentage from each trade
according to Cointelegraph
. Socket noted that the malicious code is obfuscated to evade detection, with the backend hosted on a domain that appears inactive and the main website parked by GoDaddy
as reported by GBHackers
. Despite a takedown request submitted to Google, the extension remains available on the Chrome Web Store, having been published on June 18, 2024, and reportedly used by 15 individuals as of November 2025
according to Cointelegraph
.

The discovery underscores a growing trend of browser extension-based attacks in the cryptocurrency ecosystem. Similar schemes have emerged this year, including a popular wallet extension draining funds and a

Jupiter
DEX aggregator extension emptying Solana wallets.
TechRepublic highlighted
that 186 malicious crypto-themed extensions were identified in an 18-month analysis, with many remaining undetected by antivirus software for months. These threats exploit the Chrome extension store's vast user base—over 3 billion devices—to amplify their impact, often through deceptive permissions or cloned interfaces
as reported by TechRepublic
.

For users, the implications are severe. The stealthy nature of Crypto Copilot's fee extraction means losses accumulate over time, particularly for active traders.

Socket and cybersecurity analysts urge
users to verify transaction details before signing, avoid unverified extensions, and audit installed tools for excessive permissions. Additionally,
reviewing wallet connection histories
and enabling transaction simulations on Solana explorers can help detect anomalies.

The incident also raises broader concerns about the security of decentralized finance (DeFi) tools. While Solana's ecosystem has seen rapid growth, including high-profile upgrades like Firedancer and Alpenglow, vulnerabilities in user-facing applications persist

as reported in a 2025 analysis
. As institutions and retail investors increasingly adopt crypto ETFs and multi-chain wallets, the need for rigorous security audits and user education becomes critical to mitigating such risks.