Chrome Extension Crypto Copilot Steals Solana via Hidden Transfer Fees

Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps

The ‘Crypto Copilot’ Chrome extension, published in May 2024, secretly adds an unauthorized Solana transfer to Raydium swap transactions, redirecting funds to an attacker-controlled wallet. As of November 26, 2025, the extension remains available with 12 installs despite the discovered malicious behavior.

Why This Matters

Current blockchain security models rely heavily on user awareness of transaction details; however, obfuscated code within browser extensions bypasses this safeguard. This attack demonstrates a significant vulnerability where seemingly legitimate tools can silently extract funds, highlighting a potential loss scale in the thousands of dollars given the extension’s ability to siphon 0.05% of each swap.

Key Insights

• Extension Published Date: May 7, 2024 (Socket Security report)
• Obfuscation Techniques: Minification and variable renaming are used to conceal malicious code within the extension.
• Trust Exploitation: The extension leverages legitimate services like DexScreener and Helius RPC to appear trustworthy.

Working Example

(No code provided in context)

Practical Applications

• Use Case: Malicious actors targeting crypto users via browser extensions to silently extract funds from transactions.
• Pitfall: Over-reliance on extension trustworthiness without inspecting transaction details before signing, leading to unnoticed fund theft.

References:

• https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html