- The Chrome extension Crypto Copilot secretly adds a hidden fee to every Solana token swap made on Raydium, redirecting funds to an attacker’s wallet.
- Security researchers found the extension uses obfuscated code and a misspelled backend domain to conceal this unauthorized activity.
- The theft mechanism charges either a minimum 0.0013 SOL fee or 0.05% of the trade value, scaling with trade size, and remains active on the Chrome Web Store.
- Users see normal swap details and unknowingly authorize the extra transfer as part of one transaction.
Since June 2025, the Chrome extension Crypto Copilot, advertised as a Solana trading assistant, has been secretly siphoning SOL tokens from users during Raydium swaps. This was discovered by the Cybersecurity firm Socket during monitoring of the Chrome Web Store, as mentioned in their analysis.
The extension injects a hidden transfer command into each Solana token swap transaction on Raydium, a decentralized exchange and automated market maker on Solana’s blockchain. This extra instruction draws a fee directly from user trades and sends it to an attacker-controlled wallet. The fee is either 0.0013 SOL (around $0.12) for swaps below 2.6 SOL or 0.05% of the swap amount for larger trades. For example, a 100 SOL trade would deduct roughly 0.05 SOL, valued at about $4.50.
According to Socket security engineer Kush Pandya, the extension’s code is heavily obfuscated, and the main domain cryptocopilot[.]app is inactive, registered through GoDaddy. Its backend at the misspelled crypto-coplilot-dashboard[.]vercel[.]app only shows a blank page while collecting wallet data, further masking its operations.
Users who installed Crypto Copilot have unknowingly paid these fees, as the extension’s interface and transaction summaries display only the intended swap details. This makes the additional fee invisible during authorization, since both operations execute simultaneously on-chain.
Although the amount stolen so far is small, the scale of this hidden fee grows with trade size. The extension remains available on the Chrome Web Store at the time of the report. Socket has submitted a takedown request and advises users to carefully review all transaction instructions before signing, avoid closed-source extensions with signing permissions, and move assets to secure wallets if they used Crypto Copilot.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Kalshi Faces Class Action for Illegal Unlicensed Sports Betting
- Ethereum Futures Surge as Traders Target $3,390 Breakout Zone
- Shiba Inu 2026 Q1 Price Forecast: Mixed Signals Ahead
- Mixpanel Smishing Hack Leaks Data of OpenAI, CoinTracker Users
- Solana Spot ETFs See $8.1M Outflows, Ending 21-Day Inflow Streak
