A malicious Google Chrome extension called Crypto Copilot has been caught secretly siphoning fees from users who trade Solana directly through their X (Twitter) feed, according to a new report from cybersecurity firm Socket.
The extension, marketed as a fast-trading convenience tool, embeds itself into the X interface and lets users execute swaps without leaving the platform. But Socket’s analysis shows that every trade processed through Crypto Copilot includes a hidden instruction that redirects a small amount of SOL to the attacker’s wallet typically 0.0013 SOL or 0.05% of the trade.
Socket explained that the swaps run through the Solana DEX Raydium, but the malicious code appends a second instruction invisible to the user interface. While the transaction confirmation screen shows only the swap summary, both instructions are executed atomically on-chain, allowing the attacker to drain small amounts undetected.
A quiet, months-long operation
The extension has been live since June 18, 2024, and despite its malicious behavior, it remained available in the Chrome Web Store with around 15 users. Socket said it has already submitted a takedown request to Google.
Crypto Copilot advertises itself as a productivity tool, claiming to let traders “act on opportunities instantly” without switching platforms a pitch that appears to have helped it evade suspicion for months.
Chrome extensions remain a prime attack vector
Crypto Copilot is the latest in a string of malicious Chrome extensions targeting crypto users. Earlier this month, Socket identified another harmful wallet extension draining funds, and over the summer, Solana users were hit by a separate plugin that emptied wallets. In one notable case in June, a Chinese trader lost $1 million after unknowingly installing a compromised extension that harvested browser cookies to break into exchange accounts.