Cybersecurity analysts have identified a malicious Chrome extension that secretly adds an unauthorized Solana transfer during Raydium swap transactions and redirects the funds to a cryptocurrency wallet controlled by an attacker.
The extension, called Crypto Copilot, was released by a user known as “sjclark76” on May 7, 2024. It is marketed as a tool that allows users to trade cryptocurrency on X with real time insights and smooth trade execution. Despite its harmful behavior, the extension remains available and has recorded 12 installations so far.
Socket security researcher Kush Pandya noted in a recent report that Crypto Copilot injects an additional Solana transfer into every Raydium swap. This hidden operation diverts at least 0.0013 SOL or 0.05 percent of the traded amount to a fixed wallet address linked to the attacker.
Raydium is a decentralized exchange and automated market maker that operates on the Solana blockchain.
How the Malicious Fee Injection Works
Investigators found heavily obscured code inside the extension. This code activates only when a user initiates a Raydium swap. The extension modifies the transaction and silently adds a SystemProgram.transfer instruction before the user signs it.
The added fee structure works as follows
0.0013 SOL minimum for smaller trades
2.6 SOL and 0.05 percent of the traded amount for larger transactions that exceed 2.6 SOL
To remain unnoticed, the developer used code minification and variable renaming techniques to hide the malicious logic from casual reviews.
Communication With a Fake Backend
Crypto Copilot interacts with a backend hosted on the domain crypto coplipot dashboard dot vercel dot app to register linked wallets, fetch referral and points data, and report user activity. Another associated domain, cryptocopilot dot app, also fails to host any legitimate product.
Researchers found that the entire surrounding infrastructure appears to have been built only to pass Chrome Web Store checks and trick users into trusting the extension.
Users Left Completely Unaware
A key part of the scheme is that the extension never shows the extra fee inside the user interface. Only the visible swap details are displayed. Unless a user manually inspects every transaction instruction before confirming a signature, the unauthorized transfer will stay hidden.
Crypto Copilot also makes use of trusted services like DexScreener and Helius RPC, giving it a misleading sense of legitimacy.
Pandya warned that most victims will never detect the suspicious activity because the fraudulent fee is sent directly to an attacker controlled wallet instead of a known protocol treasury.
