Solana Wallet Extension Secretly Skims Fees From Traders for Months: Security Firm Exposes Crypto Copilot Malware

Introduction: The Hidden Cost of Convenience

A Chrome extension marketed as a convenient Solana trading tool has been secretly siphoning funds from users for months, security researchers have revealed. Cybersecurity firm Socket discovered that the "Crypto Copilot" extension, available on the Chrome Web Store, has been quietly appending hidden SOL transfers to every Raydium swap since last June. The malware injects an extra transaction instruction that directs a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet, all while masquerading as a legitimate trading assistant. Despite Socket's findings and subsequent takedown request to Google, the extension remained available on the Chrome Web Store at the time of the report's publication, highlighting ongoing challenges in browser-based crypto security.

The Discovery: How Security Researchers Uncovered the Scheme

Socket security engineer Kush Pandya told Decrypt that the malicious extension was identified during "continuous monitoring" of the Chrome Web Store. The discovery came through systematic analysis of extensions that combine social media integration with transaction signing capabilities—a combination that presents particular security risks. "Our AI scanner flagged multiple indicators: aggressive code obfuscation, a hardcoded Solana address embedded in transaction logic, and discrepancies between the extension's stated functionality and actual network behavior," Pandya explained. These automated alerts triggered deeper manual investigation that ultimately confirmed the hidden fee extraction mechanism.

The research methodology demonstrates how sophisticated monitoring systems can detect malicious activity even when attackers employ advanced obfuscation techniques. The extension's heavily obfuscated code represented a significant barrier to casual inspection, requiring specialized tools and expertise to analyze properly. This case illustrates why continuous, automated monitoring of browser extensions has become essential for identifying threats that might otherwise remain undetected for extended periods.

The Mechanism: How the Fee Skimming Operation Works

The exploitation method employed by Crypto Copilot is both technically sophisticated and deliberately concealed. Each time a user executes a token swap through the extension, it generates the proper Raydium swap instruction but discreetly tacks on an additional transfer directing SOL to the attacker's address. Raydium, as a Solana-based decentralized exchange and automated market maker, processes these "Raydium swaps" through its liquidity pools for token exchanges.

The fee structure operates on a sliding scale: for swaps under 2.6 SOL, the minimum 0.0013 SOL fee applies, while above that threshold, the 0.05% percentage fee takes effect. This means a 100 SOL swap would extract 0.05 SOL from the user—approximately $10 at current prices. The scaling mechanism ensures that the theft remains proportional to transaction size, potentially making it less noticeable to users conducting larger trades while still generating significant revenue for the attacker over time.

What makes this scheme particularly effective is its presentation to users. The interface displays only the swap details, and wallet pop-ups summarize the transaction in a way that users sign what appears to be a single swap operation. In reality, both instructions execute simultaneously on-chain, with the unauthorized transfer hidden within the approved transaction bundle.

The Cover-Up: Obfuscation and Misdirection Tactics

The attackers behind Crypto Copilot employed multiple layers of deception to avoid detection and maintain their operation over several months. The extension's code featured aggressive obfuscation, making manual review extremely difficult for casual inspectors or automated scanning tools that lack sophisticated deobfuscation capabilities. This technical concealment was complemented by strategic misdirection in the extension's infrastructure.

According to Socket's analysis, the main domain cryptocopilot[.]app was parked by domain registry GoDaddy, presenting no active content. Meanwhile, the backend at crypto-coplilot-dashboard[.]vercel[.]app—notably misspelled with "coplilot" instead of "copilot"—displayed only a blank placeholder page despite collecting wallet data from infected users. This deliberate misspelling and minimal web presence likely helped the extension avoid scrutiny from security researchers who might investigate more polished or professionally presented projects.

"The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code," Pandya noted in his analysis. This complete lack of disclosure meant users had no way to know about the hidden fees before installing and using the extension for their Solana trading activities.

The Impact: Scale and User Consequences

Despite operating since June, the attacker's wallet has received only small amounts to date, indicating that Crypto Copilot hasn't reached widespread adoption rather than suggesting the exploit carries low risk. The limited impact so far reflects either poor marketing of the extension or user caution around relatively unknown trading tools rather than any limitation in the malicious mechanism itself.

Users who installed Crypto Copilot believing it would streamline their Solana trading have unknowingly been paying hidden fees with every swap—fees that never appeared in the extension's marketing materials or Chrome Web Store listing. For active traders executing multiple swaps daily or weekly, these small deductions could accumulate into significant losses over time, all while remaining virtually undetectable without careful transaction analysis.

The case underscores how even extensions with limited user bases can pose serious risks, as their malicious functionality operates regardless of adoption scale. Each affected user faces both direct financial loss and potential compromise of their broader trading security, particularly if the extension had additional undisclosed capabilities beyond the fee skimming.

Broader Context: Malware Patterns in Crypto

The Crypto Copilot incident fits into a concerning pattern of increasingly sophisticated crypto-focused malware. In September, a separate malware strain called ModStealer was found targeting crypto wallets across Windows, Linux, and macOS through fake job recruiter ads. That malware evaded detection by major antivirus engines for almost a month, demonstrating how attackers continuously adapt their methods to bypass security measures.

Ledger CTO Charles Guillemet has previously warned about similar threats, noting that attackers had compromised an NPM developer account with malicious code attempting to silently swap crypto wallet addresses during transactions across multiple blockchains. These incidents collectively highlight a trend toward more targeted, financially motivated attacks specifically designed to exploit cryptocurrency users and developers.

Browser extensions represent a particularly vulnerable vector because they often require broad permissions and operate with significant access to user data and transaction capabilities. The trust users place in official marketplaces like the Chrome Web Store can create false confidence, leading to installation of tools without sufficient scrutiny of their actual behavior or security implications.

Protective Measures: Recommendations for Users

In response to the discovery, Socket has urged users to adopt several protective practices. The primary recommendation involves carefully reviewing each instruction before signing transactions, particularly when using browser-based wallets and extensions. Users should avoid closed-source trading extensions requesting signing permissions unless they come from verified, reputable developers with transparent codebases.

For those who installed Crypto Copilot, migrating assets to clean wallets is strongly advised to prevent potential future exploitation. This precautionary measure addresses concerns that compromised extensions might contain additional malicious functionality beyond what has been immediately identified.

The security firm has also submitted a takedown request to Google's Chrome Web Store security team, though the extension remained available at the time of Socket's report publication. This delay between identification and removal highlights why user vigilance remains critical even when using vetted marketplaces.

Conclusion: Navigating an Evolving Threat Landscape

The Crypto Copilot case exemplifies ongoing security challenges in the browser-based crypto tool ecosystem. While the direct financial impact appears limited so far, the sophisticated concealment methods and extended duration of undetected operation demonstrate how easily malicious actors can exploit user trust and technical complexity.

This incident reinforces the need for continuous security monitoring of browser extensions, particularly those handling financial transactions. Users must balance convenience against security considerations, recognizing that even officially listed extensions can contain hidden malicious functionality. The cybersecurity community's evolving detection capabilities provide crucial protection, but ultimately cannot replace user education and cautious computing practices.

As blockchain interactions increasingly move toward browser-based interfaces, developers, security researchers, and platform operators face shared responsibility for ensuring these tools don't become vectors for exploitation. The response from Google's Chrome Web Store team regarding Socket's takedown request will serve as an important indicator of how effectively major platforms can respond to such threats moving forward. For now, crypto users should remain vigilant about the extensions they install and regularly audit their transaction histories for unexpected activity.