A malicious Google Chrome extension dubbed Crypto Copilot is actively compromising the Solana ecosystem by injecting hidden code into Raydium swaps to siphon fees from unsuspecting traders. The malware, which masquerades as a convenience tool for executing trades directly from social media feeds, represents a dangerous evolution in browser-based crypto-jacking by skimming small amounts per transaction rather than draining wallets entirely.
Anatomy of the Crypto Copilot ‘Skim’
According to a recent report by cybersecurity firm Socket, the malware operates by manipulating the transaction construction process on the backend. The extension markets itself as a utility that allows users to trade Solana tokens directly from the X (formerly Twitter) interface.
However, researchers found that when a user initiated a swap on the Raydium decentralized exchange (DEX), the extension’s code atomically appended a secondary instruction: SystemProgram.transfer.
This hidden instruction routed a “fee,” calculated as the greater of 0.0013 SOL or 0.05% of the transaction value, to a hardcoded wallet address controlled by the malware’s creator. Because Solana wallets often summarize transaction data in the high-level approval window, the secondary transfer was frequently obscured from the user, who believed they were signing a single standard swap instruction.
Technical Obfuscation and Infrastructure
The threat actors employed significant measures to conceal the malicious activity. The investigation revealed that the fee extraction logic was buried under layers of obfuscated JavaScript, utilizing aggressive variable renaming and minification to evade automated security scans.
Furthermore, the extension attempted to establish a veneer of legitimacy by utilizing valid RPCs from providers such as Helius and DexScreener to fetch real-time pricing data. However, the software also communicated with a suspicious backend hosted on a misspelled domain (crypto-coplilot-dashboard.vercel.app).
Researchers noted that the lack of documentation and the “placeholder” nature of the dashboard were consistent with malicious software practices designed solely to harvest wallet metadata.
Crypto Copilot Developer and Distribution
The extension was reportedly published to the Chrome Web Store under the developer name “sjclark76” around May 7, 2024. While the extension showed a relatively low install count of approximately 15 users at the time of the report, security analysts warned that the underlying mechanism posed a disproportionate risk to high-volume traders.
Unlike “drainers” that trigger immediate alarms, this “skimmer” approach allowed the attacker to potentially operate undetected over long periods. Socket confirmed it submitted a takedown request to Google.
This incident followed a broader trend of supply-chain attacks targeting browser ecosystems; earlier in 2024, security firms identified over 40 malicious extensions impersonating major wallet providers on the Firefox browser.
Chain Street’s Take
Crypto Copilot is a reminder that the most dangerous attacks aren’t the loud ones. Quiet skimmers that slip extra instructions into otherwise routine Solana swaps are harder to spot and hit traders where they’re least prepared. The risk isn’t the install count but the technique. Any tool sitting in the browser layer now deserves the same scrutiny as a smart contract audit.
