A Chrome browser extension is silently draining Solana from unsuspecting crypto traders. Worse yet, most victims have no idea it’s happening.
The extension, called Crypto Copilot, hides malicious code that injects secret transfer fees into legitimate cryptocurrency transactions. Every time you swap tokens on Raydium, the extension steals a cut and sends it straight to the attacker’s wallet.
Socket security researchers discovered the scam on November 26, 2025. The extension remains live in the Chrome Web Store with 12 recorded installs.
How the Scam Actually Works
Crypto Copilot markets itself as a tool to “trade crypto directly on X with real-time insights.” That sounds helpful. But behind that friendly interface lurks something far more sinister.
When you initiate a Raydium swap, the extension springs into action. It manipulates your transaction before you sign it. Specifically, it adds a hidden SystemProgram.transfer instruction that reroutes funds to a hardcoded wallet address.
The fee calculation works like this. For smaller trades, the extension steals a minimum of 0.0013 SOL. For trades exceeding 2.6 SOL, it takes 0.05% of the total amount. That might sound small at first glance.
But here’s the brutal part. These fees compound across every single trade. Plus, they’re completely undisclosed. The user interface shows only the swap details you expect to see. The hidden transfer remains invisible until you dig deep into the transaction instructions.
Most people never check. They trust the extension they installed. So the money disappears without anyone noticing.
Obfuscation Techniques Hide the Theft
The developers didn’t stumble into this accidentally. The malicious code uses sophisticated obfuscation to avoid detection.
Variable names get renamed to meaningless strings. The code gets minified to make it nearly impossible to read. These techniques help the extension pass Chrome Web Store’s automated security reviews.
Moreover, the extension communicates with backend servers hosted on crypto-coplilot-dashboard.vercel[.]app. It registers connected wallets, tracks user activity, and reports back to the attackers. Yet neither this domain nor the main cryptocopilot[.]app site hosts any legitimate product.
The infrastructure exists solely to create an illusion of legitimacy. Behind the scenes, everything funnels toward one goal: stealing small amounts from thousands of transactions.
Legitimate Services Provide False Trust
Crypto Copilot makes clever use of real cryptocurrency services to appear trustworthy. It integrates with DexScreener for price data and Helius RPC for blockchain interactions.
These integrations work exactly as advertised. So when traders see familiar names in the extension’s code, they assume everything’s legitimate. That’s precisely what the attackers count on.
Socket researcher Kush Pandya explains the psychology at work. “The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.”
The extension published to the Chrome Web Store on May 7, 2024, under the developer name “sjclark76.” That account likely represents either a compromised identity or a completely fabricated profile.
Detection Remains Nearly Impossible
Most users will never discover this scam on their own. The transaction signing interface doesn’t highlight the extra transfer. Wallet apps show the swap details you expect, plus a bunch of technical instructions most people ignore.
Even security-conscious traders might miss it. You’d need to manually inspect every instruction in every transaction before signing. That’s tedious and impractical for regular trading activity.
Furthermore, blockchain explorers show the transfer as just another instruction in a complex transaction. Without knowing exactly what to look for, it blends right in with legitimate swap mechanics.
The 0.0013 SOL minimum fee equals roughly $0.20 at recent prices. Small enough that most traders wouldn’t notice it missing from their wallet balance. But multiply that across hundreds of users and thousands of transactions, and the attacker’s wallet fills up fast.
Browser Extensions Remain High-Risk
This case highlights a persistent problem in cryptocurrency security. Browser extensions require extensive permissions to function. Those same permissions create massive attack surfaces.
When you install a trading extension, you’re granting it permission to interact with your wallet. Read your transaction data. Modify web pages. Intercept network requests. All of these capabilities enable legitimate functionality. They also enable sophisticated attacks.
Chrome Web Store’s review process catches obvious malware. But subtle manipulation like this often slips through. The code looks functional. The extension provides some real features. The malicious payload activates only under specific conditions.
Security researchers recommend treating browser extensions with extreme caution. Install only extensions from verified developers with established reputations. Even then, review the permissions carefully and monitor your transactions for anything unexpected.
What Traders Should Do Now
If you installed Crypto Copilot, remove it immediately. Then review your recent Raydium transactions for suspicious transfers.
Check your wallet’s transaction history on Solana explorers like Solscan. Look for small SOL transfers you didn’t initiate. If you find them, you’ve been affected.
Beyond this specific extension, adopt better security practices. Never install crypto-related extensions without thorough research. Verify the developer’s identity through multiple channels. Read recent user reviews and check security researcher reports.
Consider using hardware wallets that require manual approval for every transaction. This creates an additional checkpoint where you can spot unauthorized transfers. It’s not foolproof, but it adds meaningful friction against automated theft.
Most importantly, treat every extension as potentially malicious until proven otherwise. That sounds paranoid. But in cryptocurrency, paranoia often proves justified. The stakes are simply too high to trust blindly.