Google Chrome extension for crypto trading targets Solana users

Attackers are using a malicious Google Chrome extension disguised as a trading convenience tool to nick small portions of SOL out of the pockets of unsuspecting Solana users.

According to research conducted by cybersecurity firm Socket, the Chrome extension is currently still live on the Chrome Web Store under the name “Crypto Copilot.”

It’s being marketed as a productivity enhancer that lets users execute Solana trades directly from their X feed.

The extension currently has a 1-star rating and only 18 downloads as of press time, but has been live since June 18, 2024.

How is Crypto Copilot targeting Solana users?

At first glance, Crypto Copilot ticks all the boxes of a legitimate tool, integrating various third-party APIs like DexScreener for price data, Helius for Solana infrastructure access, and Phantom or Solflare for wallet connections. 

These features make it look and function like a genuine decentralized trading interface, while it quietly siphons off a hidden fee in the background.

“None of these services are malicious by themselves, but together they create a convincing façade around the core issue: every swap includes an undisclosed SOL transfer to a hardcoded personal wallet,” Socket wrote.

For executing trades, it uses Raydium, a decentralized exchange on Solana that allows users to swap tokens.

But behind the scenes, it appends an extra instruction that transfers a small cut of the transaction to the attacker’s wallet.

On the surface, the user sees only the expected swap details.

The wallet confirmation screens simply summarise the transaction without surfacing individual instructions, giving no obvious indication that two actions are being executed together.

When executing trades, users are only asked to approve the transaction once, with both the legitimate and malicious instructions executing together as a single atomic operation.

On-chain analysis conducted by Socket found only a limited number of transfers to the attacker’s wallet so far, which the team attributes to the fact that the extension has either not been widely promoted or is still in the early stages of distribution.

However, the extension has been built to scale efficiently, with Socket warning that the potential damage increases with the size and frequency of trades.

“Users with larger holdings or high-volume trading activity could incur substantially higher losses if they unknowingly rely on this extension for routine swaps. Over time, the attacker accumulates SOL directly inside their personal wallet, turning the extension into a recurring revenue mechanism rather than a legitimate DEX interface,” Socket added.

Socket has urged users to review every transaction instruction before signing, especially on Solana, where malicious behaviour like this can only be caught if a user manually expands and inspects each instruction.

Those who have already installed Crypto Copilot should migrate their funds to a clean wallet and revoke all previously connected sites immediately.

Malicious Chrome extensions continue to surface

Crypto Copilot is just one of many deceptive Chrome extensions that have surfaced on the Chrome Web Store.

Since the start of last year, the number of attacks using malicious extensions has been on the rise, with some managing to rake in millions in stolen funds.

Last year, Invezz reported on Bull Checker, another fake extension that targeted Solana users by disguising itself as a memecoin utility.

In reality, it hijacked transactions to reroute user funds to an attacker-controlled wallet.

Meanwhile, back in August, researchers at Koi Security uncovered that a group known as GreedyBear had siphoned over $1 million worth of cryptocurrency using malicious browser extensions, malware, and scam websites in a coordinated operation spanning multiple attack vectors.

The post Google Chrome extension for crypto trading targets Solana users appeared first on Invezz