Months-Long Malware on Browsers Compromises Solana Traders’ Swaps

A malicious Chrome extension posing as a Solana trading assistant has been quietly siphoning fees from user swaps for months.

Crypto Copilot, live on the Chrome Web Store since June, targeted traders on the Solana DEX Raydium. It added a hidden second instruction to every swap, sending either 0.0013 SOL or 0.05% of the trade to an attacker-controlled wallet.

The attack exploited atomic transactions: wallet interfaces bundle multiple instructions into a single swap, so users unknowingly authorized both the intended trade and the hidden transfer. Cybersecurity firm Socket, which flagged the extension, compared it to confirming an order that secretly adds extra charges.

On-chain data shows limited adoption, but trades above 2.6 SOL trigger the 0.05% fee. The extension’s infrastructure appeared rushed, with a parked domain (cryptocopilot.app) and a blank backend dashboard collecting wallet metadata.

Socket requested a takedown from Google, but the extension remained live. Users are urged to avoid closed-source extensions requesting signing privileges and to transfer assets to new wallets if they interacted with Crypto Copilot.