Some crypto trading tools are secretly syphoning customer funds little by little with every transaction. The Chrome extension Crypto Copilot was flagged as malicious by Socket researchers, who discovered that it adds a hidden fee of 0.05% or more to every trade.
The Crypto Copilot Chrome extension is marketed as a crypto trading tool that allows users to buy or sell crypto directly on X within their feed.
“This innovative plugin integrates seamlessly with the X interface, allowing you to act on trading opportunities instantly without the need for switching between apps or platforms,” the creator, using a moniker sjclark76, writes on the Google Chrome Web Store.
However, Socket, a cybersecurity firm, discovered that the extension is malicious and adds hidden Solana fees on every trade, which are then transferred to the attacker-controlled wallet.
The additional surcharges are small enough that the users may not notice them.
The extension will charge either 0.0013 SOL ($0.19) or 0.05% on trades larger than 2.6 SOL ($371).
Socket researchers claim that the extension maliciously manipulates Raydium (blockchain) swaps to quietly inject additional transfers without disclosure and siphon funds.
Solana traders already pay small base blockchain fees for every transaction, sometimes with added priority fees, as well as extra charges from crypto exchange platforms.
“The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code,” Socket said in a report.
While this particular Chrome extension doesn’t have many users, its malicious behaviour hasn’t been noticed for over a year, and there are likely more extensions with similar patterns. Crypto Copilot remains available at the time of writing, despite Socket’s takedown request to Google.
The tip of the iceberg?
The attacker has only made $6.86 so far, according to the on-chain data for the provided wallet address.
The limited scale of this attack only reflects the extension’s low distribution – the risks remain high, Socket researchers say. The extension hasn’t been widely advertised and was last updated on June 18th, 2024.
“Similar patterns are likely to appear in other Solana and EVM trading extensions,” the report reads.
“Extensions that combine social-media content scripts with transaction signing capabilities should be treated as high-risk.”
This example illustrates how easily attackers can add unexpected transfers, hardcoded wallet addresses, and additional opaque backend requests. Many extensions that present themselves as convenience tools lack clear documentation or even a functioning product website.
The report details the fee injection mechanism. The extension uses hardcoded parameters to calculate the fee and append it to the transaction before requesting the user’s signature. The user only sees a swap preview in the user interface.
“The additional outbound transfer is embedded in the same transaction and typically overlooked unless the user expands the full instruction list in their wallet,” Socket explains.
The extension operator has visibility into wallet usage, connected accounts, and trading behavior. However, the extension points to two backend websites, and neither of them is functional or exposes any services. The extension tries to send user data to broken APIs. This suggests the extension was thrown together hastily and could be a work-in-progress or a demonstration.
“Crypto Copilot also relies on multiple external services, these integrations exist mainly to mimic the behavior of a legitimate trading extension,” the researchers said.
“None of these services are malicious by themselves, but together they create a convincing facade.”
Crypto users should review every instruction in a transaction before signing, especially on Solana, and look for any unexpected instructions in swap workflows.
The researchers recommend avoiding closed-source trading extensions that request signing or sendTransaction permissions.
“Install wallet extensions only from verified publisher pages, not Chrome Web Store search results.”
Assets from exposed wallets should be migrated to clean wallets, and all connected sites should be revoked.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked