Crypto Copilot Chrome Extension Secretly Skims Solana Trades

According to cybersecurity firm Socket’s Tuesday report, Crypto Copilot operates with a level of sophistication that distinguishes it from traditional cryptocurrency malware. Unlike wallet-draining attacks that attempt to steal entire balances in one swoop, this extension employs a more subtle approach by injecting an extra transfer into every Solana swap executed through the platform. The malicious code systematically skims either 0.0013 SOL or 0.05% of each trade value, whichever amount is greater, directly into the attacker’s wallet.

The extension’s deceptive strength lies in its dual functionality. While it legitimately uses the Raydium decentralized exchange to perform the user’s intended swaps, it simultaneously appends a second, hidden instruction that transfers SOL from the user to the attacker. This sophisticated implementation means users receive the cryptocurrency they intended to trade for, making the unauthorized deductions easy to overlook amid normal trading activity and market fluctuations.

Crypto Copilot’s most effective deception occurs at the user interface level, where transaction confirmation screens deliberately obscure the malicious activity. The wallet interfaces present users with summarized transaction information that fails to surface individual instructions, effectively hiding the secondary transfer from plain view. This design choice capitalizes on how most users interact with cryptocurrency wallets—typically approving transactions based on summary information rather than scrutinizing every technical detail.

The extension’s integration with X (formerly Twitter) adds another layer of credibility, as users trading directly from their social media feed may be less vigilant about security protocols. The combination of convenient functionality and obscured transaction details creates an environment where the systematic skimming can continue undetected across multiple transactions, potentially accumulating significant stolen funds over time while maintaining the appearance of a legitimate trading tool.

This attack represents a significant evolution in cryptocurrency-targeting malware strategy. By opting for repeated small thefts rather than single large-scale thefts, attackers reduce the likelihood of immediate detection and user alarm. The 0.0013 SOL minimum ensures that even small trades contribute to the attacker’s profits, while the percentage-based component scales with larger transactions, creating an optimized revenue stream that balances stealth with profitability.

The focus on Solana trading through Raydium demonstrates attackers’ awareness of current market trends and user behaviors. As Solana continues to gain popularity for its fast transaction speeds and lower fees, it becomes an increasingly attractive target for such sophisticated attacks. The malware’s design suggests careful study of both technical implementation and user psychology, creating a threat that’s difficult to detect through conventional security measures.

This incident underscores the critical need for enhanced security practices in the cryptocurrency space, particularly regarding browser extensions and social media-integrated trading tools. Users must exercise extreme caution when installing financial software and should regularly audit their transaction histories for unauthorized activity, even when amounts appear insignificant individually.