Cryptocurrency thieves steal Solana through hidden Chrome extensions
The latest threat aimed at cryptocurrency users has emerged with surgical precision and is happening in their browser.
This is a sophisticated attack method in which malicious Chrome extensions inject hidden transfer fees into legitimate Solana transactions, allowing criminals to divert funds without users realizing they have been robbed.
Socket researchers identified the extension. What makes this attack particularly insidious is that victims sign the transactions themselves, unaware that hidden transfer instructions have been included in legitimate operations on Raydium and Jupiter.
The Socket threat research team has outlined all the details.
It discovered the malicious Chrome extension, Crypto Copilot, published on June 18, 2024, which is marketed as a tool to execute trades instantly from your X feed.
Behind the interface, the extension injects an additional transfer into every Solana swap, diverting a minimum of 0.0013 SOL or 0.05% of the transaction amount to a coded wallet controlled by the attacker.
The commission behavior is never revealed in the Chrome Web Store listing, and the logic that implements it is hidden in highly obfuscated code.
When a user makes a swap, Crypto Copilot creates the expected Raydium swap instruction and then silently adds a second instruction that transfers SOL from the user to Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7.
The user interface only shows the details of the swap. Wallet confirmation screens often summarize the transaction without showing individual instructions.
Users sign what appears to be a single swap, but both instructions are executed automatically on the chain.
