Chrome Extension Caught Skimming Solana Trades – Users Unknowingly Paying Hacker Fee
A Google Chrome browser extension advertised as a shortcut for trading Solana directly from the X (Twitter) feed has been identified as malware, quietly siphoning funds from every transaction executed through it.
- A malicious Chrome extension added hidden fees to every Solana swap and routed them to an attacker.
- The plug-in has been live since June and marketed itself as a trading shortcut for X users.
- Chrome extensions remain a high-risk environment for crypto transactions due to broad permissions and limited visibility into instructions users sign.
Cybersecurity firm Socket uncovered the scheme and reported that the extension — titled Crypto Copilot — inserts a hidden fee into each swap. Instead of draining entire wallets in a single hit (the hallmark of most Solana-focused malware), the attacker opted for a slower and less noticeable method: taking a small cut from every trade.
How the theft is carried out
Socket’s review of the code revealed that Crypto Copilot routes swaps through Raydium, a popular Solana DEX. But before users approve the transaction, the extension adds an extra instruction that funnels part of the trade — a minimum of 0.0013 SOL or roughly 0.05% of the swap value — to the attacker.
The extension relies on the fact that most users only review the high-level summary shown in the wallet approval window. Because both transfers execute in the same transaction, there is no visible indication that a second transfer is taking place.
Installed since June — barely noticed until now
Crypto Copilot has been available on the Chrome Web Store since June 18, 2024. According to the storefront listing, it has 15 active users, though the exact number affected by unauthorized transfers is unclear.
The extension marketed itself as a productivity upgrade — enabling Solana swaps without leaving the X interface — which likely helped it avoid early suspicion. Socket says it has already requested that Google remove the listing, but the plug-in remained accessible at the time of reporting.
Growing pattern of Chrome-based wallet theft
This is not an isolated case. Malicious Chrome extensions have become one of the most effective attack vectors targeting crypto users:
- Earlier this month, Socket flagged another highly downloaded wallet extension that was draining funds.
- In August, the Jupiter team warned Solana users about a Chrome plug-in that emptied wallets.
- In June 2024, a Chinese trader reported losing $1 million after installing a malicious extension that harvested browser cookies and gained access to his Binance account.
Security researchers caution that Chrome extensions have become a preferred target because users often accept permission prompts without understanding the access being granted.
The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.
Alex is Editor-in-Chief of Coindoo and co-founder of Millennial Media Group, with nearly a decade of experience covering financial markets - crypto first, then everything else. It started in 2016 with Bitcoin. Like most people at the time, he didn't fully understand it - so he kept digging. Blockchain, tokenomics, the projects, the cycles. That curiosity never stopped, and eventually pulled him into traditional markets too: equities, commodities, macro. Not because he left crypto behind, but because you can't properly understand one without the other. What drives him is straightforward: he wants to know why something is happening, not just that it's happening. Most market coverage stops at the headline - price up, price down, here's a chart. Alex finds that kind of reporting actively unhelpful. If you walk away from an article without understanding the mechanism behind the move, what did you actually learn? He holds a degree in Tourism from New Bulgarian University - not the most obvious path into financial markets, but markets have a way of pulling in people who are simply too curious to stay out. He has authored over 200 in-depth analyses and more than 10,000 articles across crypto and traditional finance. He still thinks every day in markets teaches him something new. That's probably why he hasn't stopped.
