Chrome Extension Discovered Secretly Adding Hidden Solana Transfer Fees to Raydium Swaps
Chrome extension scam alert: Crypto Copilot steals Solana by injecting hidden fees into Raydium swaps. Find out if you're affected and how to protect yourself.
Researchers of cybersecurity have identified the malicious Chrome Web Store extension secretly injecting unauthorized Solana transfers into the swap transactions to send the funds to an attacker owned wallet.
The extensions is titled Crypto Copilot and was the first uploaded by an individual named sjclark76 on May 7, 2024. According to the browser plugins description by its developer, it is claims to trade crypto directly on X with real-time insights & seamless execution. At that time of writing the extension had been installed upto 12 times and was still showing downloaded.
Beneath the surface the extension inserts an additional transfer in every Solana swap siphoning atleast 0.0013 SOL or 0.05% of transaction value to a pre programmed attackers controlled wallet said Socket security analyst Kush Pandya in an analysis published on Tuesday.
More precisely, the extension contains obfuscated programming that triggers when users execute a swap in Raydium, modifying it to inject a hidden SOL transfer as part of the same signed transaction. Raydium is a DEX (decentralized exchange) and AMM (automatic market maker) based on the Solana blockchain.
The mechanism works through the addition of a hidden SystemProgram.transfer utility method to each swap before it asks for the user's signature, routing the fee to a hard-coded wallet embedded within the code. The fee calculation is based on the amount traded, extracting at least 0.0013 SOL if transactions are under 2.6 SOL and up to 0.05% of the value of the swap if it should exceed 2.6 SOL. To make its detection difficult, the malicious functionality is obfuscated by methods such as minification and variable renaming.
The extension also communicates with a backend server hosted at the domain "crypto-coplilot-dashboard.vercel[.]app" to log which wallets are connected, fetch points and referral data, and monitor user activity. This domain, along with "cryptocopilot[.]app," does not host any legitimate product.
What makes this attack particularly concerning is that users remain completely unaware of the hidden platform fee; the user interface exclusively displays swap details. Another thing is that Crypto Copilot embeds legitimate services, such as DexScreener and Helius RPC, into its product to build an element of trust.
"Because this transfer is inserted silently, and routed to a personal wallet rather than a protocol treasury, most users would never notice this unless they review every instruction before signing," Pandya said. "The supporting infrastructure appears to be designed solely to pass Chrome Web Store review and create an appearance of legitimacy while extracting fees behind the scenes."
