A malicious browser extension for Google Chrome named Crypto Copilot has been discovered, which deducts hidden fees during cryptocurrency trading. This was highlighted by researchers at Socket.
The tool allowed transactions on the Solana network “directly through the feed on X.” However, each transaction incurred additional fees of at least 0.0013 SOL or 0.05% of the total amount.
The funds were directed to a wallet controlled by the attacker. Notably, the extension’s description does not mention these fees, and they were concealed through “obfuscated code.”
“When a user performs a swap, Crypto Copilot generates the expected swap instruction on Raydium, and then stealthily adds a second one that transfers SOL from the user [to the scammer],” explained the security experts.
The extension connects to Phantom, Solflare, and other standard Solana wallets, and displays token data from DexScreener. The marketing text emphasizes speed, convenience, and “one-click trading.”
As of writing, Crypto Copilot remains available for download in the Chrome app store, although the Socket team has filed a complaint with Google. The extension has been in existence since June 2024.
“The program connects to the webpage, recognizes tokens, and offers a swap button next to popular posts [in X]. To connect and sign transactions, it requests standard wallet permissions, which is generally unusual,” the researchers noted.
Back in August, the Jupiter team discovered a malicious Chrome extension called Bull Checker, aimed at stealing assets on the Solana network.