Cybersecurity experts warn that a malicious Chrome extension steals cryptocurrency on the Solana blockchain

Socket experts have discovered a malicious Chrome browser extension called Crypto Copilot that steals Solana (SOL) tokens from users. It masquerades as an instant trading tool on the X social network (formerly Twitter), but in fact adds a hidden instruction to each transaction on the Solana blockchain that transfers part of the funds to the attacker’s wallet.

The extension was published on June 18, 2024, and was positioned as a convenient tool for trading tokens through the Raydium platform with connections to Phantom, Solflare, and other popular services. Socket has found that Crypto Copilot creates a standard swap transaction, but «quietly» adds a second one that sends SOL to Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7. The hidden transfer is not displayed in the interface and looks like a part of a normal transaction.

Experts explained that the extension code has a built-in mechanism for charging a fee of 0.0013 SOL or 0.05% of the transaction amount, whichever is greater. For example, a 100 SOL swap adds 0.05 SOL in hidden fees. The program code is obfuscated and minimized, which makes it difficult to analyze. The application also transmits data about wallets and user activity to a server associated with the suspicious domain crypto-coplilot-dashboard[.]vercel[.]app, which even has a typo — a sign of a phishing scheme.

Socket warned that similar manipulations could be repeated in other Solana and EVM extensions. Signs of danger include closed code, the presence of strictly prescribed wallet addresses, and hidden transfer instructions. Experts advise checking each transaction before confirming it, avoiding extensions from unknown sources, and transferring assets to a new wallet after installing Crypto Copilot by revoking all permissions.

The company has also published compromise indicators, including the email, Chrome extension ID, Solana address of the attacker, and the domain specified. This is not the first case of such attacks: in 2023, the Fantom Foundation lost $ 550,000 due to a vulnerability in Chrome, and in 2024, the Jupiter team reported a similar malicious extension that was also used to steal Solana users' funds.