Security researchers at Socket, a firm specializing in supply chain security for open-source software, have recently uncovered a dangerous Chrome extension called Crypto Copilot that poses as a helpful tool for Solana cryptocurrency trading but secretly drains users’ SOL tokens by injecting unauthorized fees into every transaction. Published on the Chrome Web Store on June 18, 2024, by a developer listed as “sjclark76,” the extension markets itself as a seamless way to execute trades directly from X (formerly Twitter) feeds, complete with real-time token insights and integration with popular wallets. This discovery, detailed in Socket’s in-depth analysis released on November 25, 2025, highlights how the extension exploits the fast-paced nature of Solana’s decentralized finance (DeFi) ecosystem to siphon funds without users’ awareness, raising alarms about the risks of browser-based crypto tools.
At first glance, Crypto Copilot appears legitimate and user-friendly, promising to simplify trading for those following token launches and market buzz on social media platforms. It integrates smoothly with established Solana wallets such as Phantom and Solflare, fetches live token data from DexScreener—a reputable analytics platform—and routes all swaps through Raydium, Solana’s leading automated market maker (AMM) and decentralized exchange (DEX). For traders who thrive on speed, the extension’s pitch of “one-click trades from your X feed” sounds like a game-changer, allowing users to spot a token mention in a post and swap instantly without leaving the app. However, this convenience is a facade; the Chrome Web Store listing omits any mention of fees, transfers, or additional charges, a deliberate gap that enables the extension’s core malicious function to operate undetected.
The extension’s low profile—boasting only around 12 installs as of late November 2025—suggests it hasn’t spread widely yet, but its sophisticated design makes it a ticking time bomb for Solana users. Socket’s team, led by security researcher Kush Pandya, emphasized that the tool’s infrastructure mimics legitimate services to pass initial reviews, blending in with the growing wave of crypto-focused browser add-ons. This case underscores broader vulnerabilities in the Chrome Web Store, where extensions requesting wallet permissions can access sensitive on-chain actions, potentially leading to widespread exploitation if adoption increases. As Solana’s ecosystem continues to boom with meme coins, NFTs, and high-volume trading, tools like this exploit the trust users place in quick, social-media-driven decisions.
Inside the Hidden Fee Mechanism: How the Theft Happens Step by Step?
Delving into the technical workings, Crypto Copilot’s malice lies in its ability to manipulate Solana swap transactions at the instruction level, appending a covert transfer that sends SOL to the attacker’s wallet without triggering obvious alerts. When a user initiates a trade—say, swapping one token for another via Raydium—the extension first assembles the standard swap instructions using legitimate Solana program calls, ensuring the core transaction looks normal. Then, it activates obfuscated JavaScript code that calculates a “platform fee” based on hardcoded parameters: the greater of 0.0013 SOL (a fixed minimum) or 0.05% of the total swap amount. For example, a small trade under 2.6 SOL value would deduct the flat 0.0013 SOL, while a larger 100 SOL swap would extract 0.05 SOL, quietly routing it to the hardcoded attacker address Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7.
This fee injection occurs through a sneaky SystemProgram.transfer instruction, a basic Solana utility for moving tokens, which the extension tacks onto the end of the swap bundle right before the user is prompted to sign. The code employs aggressive minification—compressing and renaming variables to gibberish like single letters or numbers—to evade simple code reviews or antivirus scans, making the malicious logic nearly invisible to casual inspection. Once signed, the entire package executes atomically on the Solana blockchain, meaning both the intended swap and the hidden transfer happen simultaneously as one indivisible event. Most wallet interfaces, including those from Phantom and Solflare, display this as a single “swap” action on confirmation screens, summarizing the transaction without breaking down individual instructions—a flaw that attackers exploit to keep users in the dark.
On-chain forensics from blockchain explorers like Solscan reveal that transfers to the attacker’s wallet have been minimal so far, likely due to the extension’s limited user base rather than any built-in safeguards. However, the mechanism is scalable: as more users install it and perform frequent or high-value trades, the cumulative losses could mount quickly, turning it into a passive income stream for the operator. Socket’s report notes that this approach mirrors tactics in other crypto scams, where small, repeated drains go unnoticed until balances dwindle unexpectedly. For active Solana traders handling volatile assets like meme tokens, even a 0.05% skim on multiple daily swaps could erode profits significantly over weeks or months, emphasizing the need for granular transaction oversight.
Fabricated Infrastructure: Building a Facade of Legitimacy
Further investigation into Crypto Copilot’s backend reveals a hastily assembled, non-functional setup designed solely to mimic a real product and slip past Chrome’s automated and manual reviews. The extension connects to a server at crypto-coplilot-dashboard.vercel.app, a domain hosted on Vercel’s cloud platform, for routine tasks like registering connected wallets, tracking fictional “points” for user engagement, and logging referral activity. In reality, visiting this backend yields only a blank, placeholder page with no interactive elements, dashboards, or data processing—clear signs of a sham operation rather than a supported trading service. Similarly, the main promotional site, cryptocopilot.app, is a parked domain managed by GoDaddy, displaying generic holding messages without any content about the extension’s features or support.
A telling red flag is the backend domain’s typo: “coplilot” instead of the correct “copilot,” a sloppy error that no professional developer would overlook, pointing to disposable infrastructure typical of cybercriminal campaigns. To bolster its credibility, the extension pulls in genuine third-party APIs, such as DexScreener for token prices and charts, and Helius RPC endpoints for efficient blockchain queries, creating an illusion of robust, integrated functionality. This hybrid approach—pairing fake elements with real services—helps it evade detection during the Web Store’s approval process, where reviewers might test surface-level features but miss the deeper code manipulations. Socket researchers highlighted that such “veneer of legitimacy” is a common ploy in malware distribution, allowing extensions to operate for months before exposure.
The overall architecture suggests the creators prioritized evasion over longevity, using cheap, anonymous hosting to avoid traceability. Blockchain analysis shows the attacker wallet receiving sporadic small deposits, but no links to known hacking groups yet, though patterns resemble solo operators targeting DeFi users. In the context of Solana’s rapid growth—handling billions in daily volume—this setup could evolve into a more aggressive threat if refined, potentially inspiring copycats in other blockchains like Ethereum or Base.
The Broader Risks: Why This Threatens Solana’s Trading Community?
Although Crypto Copilot’s impact remains contained due to its obscurity, the incident exposes systemic risks in the intersection of browser extensions and blockchain trading, particularly in Solana’s high-speed environment where users prioritize velocity over verification. Solana’s architecture, with its low fees and sub-second finality, attracts day traders and social-media influencers chasing pumps, but it also amplifies vulnerabilities like atomic transactions that bundle multiple actions without clear breakdowns. Similar attacks have targeted Solana before, including wallet drainers disguised as airdrop claimers or phishing links, but browser extensions add a new layer of stealth since they run persistently in the background with broad permissions.
This case aligns with rising trends in crypto malware, where attackers leverage the Chrome Web Store’s 200,000+ extensions to reach tech-savvy users who might dismiss warnings about “unknown sources.” Microsoft’s security blogs and other reports document how info-stealers and RATs (remote access trojans) increasingly hunt for crypto wallet data in browser storage, but Crypto Copilot innovates by monetizing directly through on-chain theft rather than outright draining. For the Solana community, which saw over $1 billion in exploits in 2024 alone according to Chainalysis, this underscores the dangers of granting signing authority to unvetted tools—especially those promising social integration, which encourage hasty approvals amid FOMO (fear of missing out).
Vigilance is crucial as Solana’s DeFi TVL (total value locked) surges past $10 billion in late 2025, drawing more retail traders to tools that bridge Web2 social feeds with Web3 actions. Without proactive measures from platforms like Google and wallet providers, such extensions could proliferate, eroding trust in browser-based crypto access and pushing users toward more secure, but less convenient, alternatives like hardware wallets.
Immediate Steps for Users: Protecting Your Solana Assets
As of November 27, 2025, Crypto Copilot remains listed on the Chrome Web Store despite Socket’s takedown request to Google’s security team, so immediate action is essential for anyone who may have encountered or installed it. Start by uninstalling the extension via Chrome’s settings (chrome://extensions/), then transfer all assets from affected wallets to a new, clean one generated offline to prevent any lingering access. Use revocation tools like revoke.cash or Solana’s own explorer features to disconnect and nullify permissions for any sites or dApps linked through the extension, ensuring no future transactions can be intercepted.
When evaluating new trading tools, stick to open-source options or those from verified publishers, and avoid anything requesting broad wallet-adapter permissions without transparent code audits—resources like GitHub or Socket’s npm registry can help verify legitimacy. Before signing any transaction, especially on Solana, expand the details in your wallet interface to inspect individual instructions; flag any unexpected SystemProgram.transfer calls that don’t align with your swap intent, as these often signal hidden drains. For added safety, enable transaction simulations in wallets like Phantom, which preview outcomes without executing them.
Looking ahead, this scam’s emergence signals a need for ecosystem-wide improvements, such as better instruction visualization in wallets and stricter Chrome policies for crypto extensions. Users should monitor on-chain activity regularly via explorers and consider multi-signature setups for larger holdings. By fostering these habits, the Solana community can mitigate similar threats, preserving the blockchain’s reputation as a secure hub for DeFi innovation.
