Chrome extension Solana, known as Crypto Copilot, was caught silently stealing users’ funds since June 2024, as the plugin allows users to trade Solana directly from X, but redirects small amounts of each transaction to the attackers’ wallets.
Crypto malware details may hide in tools that look very legitimate, and the deceptive simplicity of the extension demonstrates precisely how an attacker exploits convenience.
As traders are busy with fast swaps, in the background, the plugin works pretty much tapping money off consistently in small amounts. The method avoids large warnings and makes theft hard to notice, even for attentive users.
How Crypto Copilot Steals Funds
Unlike traditional malware that reduces entire wallets, Crypto Copilot remains in the background. The malware tacks an additional Solana on-chain instruction to each Raydium swap, transferring at least 0.0013 SOL, 0.05% of the trade, to the attacker’s wallet.
“Sign what appears to be a single swap, but both instructions execute atomically on-chain,” Socket described it as users.
The extension enables crypto hidden fee theft by concealing small amounts in each transaction. The attack relies on Solana’s instruction bundling, which lets multiple actions run together, thus keeping the theft nearly invisible.
The wallet abstraction layer defense does make this scheme possible. Many wallets show only high-level summaries; this masks the hidden transfer.
On the other hand, users’ trust is another factor. Traders assume that extensions are safe, and this highlights the risks of browser-level crypto security. Crypto Copilot creates a low-risk revenue stream for attackers, as it drains funds slowly. When reported, it had only 15 users of the plugin.
Socket has requested Google to remove the Chrome extension Solana from the Web Store. Its back-end logic is representative of a Chrome extension transaction exploit.
Protecting Your Wallet and Trades
Chrome extension Solana is the latest example of a malicious crypto plugin targeting users. Incidents that occurred earlier include Jupiter’s warning about a Solana wallet plugin and Aggr, which stole $1 million from a Chinese trader.
The attacks indicate how a Chrome malicious crypto plugin can get around typical safeguards.
Therefore, immediate steps have been recommended by security experts. Uninstall the extension and review Solana activity for concerns in Solana trading security. It is also practical that users consider revoking Chrome extension permissions.
Another precaution is to choose wallets that undergo a Chrome crypto security audit.
Web3 browser sandboxing, designed to connect users to the decentralized web, will further protect the browser environment and prevent malicious scripts from accessing wallet data. With attacks like this on the rise, crypto security’s no longer just about the blockchain: The browser layer needs to be safeguarded so that Chrome extension Solana tools don’t compromise user funds.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.