{"id":91515,"date":"2025-11-27T21:10:25","date_gmt":"2025-11-27T18:10:25","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=91515"},"modified":"2025-11-27T21:15:12","modified_gmt":"2025-11-27T18:15:12","slug":"malicious-chrome-extension-targets-solana-traders","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/malicious-chrome-extension-targets-solana-traders\/","title":{"rendered":"Malicious Chrome Extension Targets Solana Traders"},"content":{"rendered":"<p>A malicious browser extension for Google Chrome named Crypto Copilot has been discovered, which deducts hidden fees during cryptocurrency trading. This was highlighted by researchers at <a href=\"https:\/\/socket.dev\/blog\/malicious-chrome-extension-injects-hidden-sol-fees-into-solana-swaps\">Socket<\/a>.<\/p>\n<p>The tool allowed transactions on the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-solana-sol\">Solana<\/a> network &#8220;directly through the feed on X.&#8221; However, each transaction incurred additional fees of at least 0.0013 SOL or 0.05% of the total amount.<\/p>\n<p>The funds were directed to a wallet controlled by the attacker. Notably, the extension&#8217;s description does not mention these fees, and they were concealed through &#8220;obfuscated code.&#8221;<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;When a user performs a swap, Crypto Copilot generates the expected swap instruction on Raydium, and then stealthily adds a second one that transfers SOL from the user [to the scammer],&#8221; explained the security experts.<\/p>\n<\/blockquote>\n<p>The extension connects to Phantom, Solflare, and other standard Solana wallets, and displays token data from DexScreener. The marketing text emphasizes speed, convenience, and &#8220;one-click trading.&#8221;<\/p>\n<p>As of writing, Crypto Copilot remains available for download in the Chrome app store, although the Socket team has filed a complaint with Google. The extension has been in existence since June 2024.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"734\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-76b9610ea4011350-10653694874372981-1024x734.png\" alt=\"image\" class=\"wp-image-270666\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-76b9610ea4011350-10653694874372981-1024x734.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-76b9610ea4011350-10653694874372981-300x215.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-76b9610ea4011350-10653694874372981-768x550.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-76b9610ea4011350-10653694874372981.png 1126w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: chromewebstore.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;The program connects to the webpage, recognizes tokens, and offers a swap button next to popular posts [in X]. To connect and sign transactions, it requests standard wallet permissions, which is generally unusual,&#8221; the researchers noted.<\/p>\n<\/blockquote>\n<p>Back in August, the Jupiter team <a href=\"https:\/\/forklog.com\/en\/news\/bull-checker-extension-pilfers-meme-tokens-from-users\">discovered<\/a> a malicious Chrome extension called Bull Checker, aimed at stealing assets on the Solana network.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A malicious browser extension for Google Chrome named Crypto Copilot has been discovered, which deducts hidden fees during cryptocurrency trading.<\/p>\n","protected":false},"author":1,"featured_media":91516,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"Malicious Chrome extension Crypto Copilot targets Solana traders with hidden fees.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,738,1159],"class_list":["post-91515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-google","tag-solana-sol"],"aioseo_notices":[],"amp_enabled":true,"views":"159","promo_type":"","layout_type":"","short_excerpt":"Malicious Chrome extension Crypto Copilot targets Solana traders with hidden fees.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/91515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=91515"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/91515\/revisions"}],"predecessor-version":[{"id":91517,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/91515\/revisions\/91517"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/91516"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=91515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=91515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=91515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}