Solana News Today: Deceptive Chrome Extension Secretly Drains Solana Assets by Abusing User Trust

Crypto Copilot Chrome Extension Secretly Steals Fees from Solana Trades

A deceptive Google Chrome extension called Crypto Copilot has been exposed for covertly extracting hidden fees from users conducting Solana (SOL) transactions. Promoted as a tool for seamless Solana swaps directly from social media, the extension exploits users’ trust in browser-based trading solutions.

Cybersecurity experts at Socket discovered that Crypto Copilot secretly inserts an extra transfer command into every transaction. This results in a concealed fee—either 0.0013 SOL or 0.05% of the transaction value—being funneled to a wallet controlled by the attacker. The extension’s interface only displays the legitimate swap, effectively hiding the additional on-chain instruction that executes simultaneously.

How the Attack Works

Crypto Copilot utilizes Solana’s decentralized exchange Raydium to process swaps. However, it appends a SystemProgram.transfer instruction to siphon off funds. Unlike traditional wallet-draining attacks that empty entire balances, this extension quietly skims a small amount from each trade, making detection more difficult.

The malicious code is heavily obfuscated to avoid security scans, and its backend is hosted on a seemingly inactive domain. The main website is currently parked, further masking its true purpose. Despite a removal request sent to Google, the extension remains available on the Chrome Web Store since June 18, 2024, and has reportedly been installed by at least 15 users as of November 2025.

Rising Threats from Malicious Extensions

This incident highlights a growing wave of attacks leveraging browser extensions within the cryptocurrency sector. In recent months, similar tactics have been used by other extensions, including a popular wallet tool and a Jupiter DEX aggregator, both of which have been implicated in draining Solana wallets.

According to industry reports, an 18-month investigation uncovered 186 crypto-related malicious extensions, many of which evaded antivirus detection for extended periods. With the Chrome extension ecosystem reaching over 3 billion devices, these threats can spread rapidly, often using misleading permissions or cloned interfaces to deceive users.

Protecting Yourself from Extension-Based Scams

The stealthy fee skimming by Crypto Copilot can lead to significant losses, especially for frequent traders. Security professionals recommend several precautions:

• Carefully review all transaction details before approving any operation.
• Refrain from installing unverified or suspicious browser extensions.
• Regularly audit installed extensions for unnecessary permissions.
• Check wallet connection histories for unusual activity.
• Enable transaction simulation features on Solana explorers to spot irregularities.

Broader Security Concerns in DeFi

This case also underscores persistent security challenges in decentralized finance (DeFi) applications. While Solana’s ecosystem continues to expand with major upgrades like Firedancer and Alpenglow, vulnerabilities in user-facing tools remain a significant risk. As both institutional and retail investors increasingly use crypto ETFs and multi-chain wallets, comprehensive security audits and ongoing user education are essential to reduce exposure to such threats.