A newly discovered malicious extension on the Chrome Web Store, named Crypto Copilot, has been identified as capable of subtly stealing Solana (SOL) cryptocurrency from unsuspecting users. Published on May 7, 2024, by a user under the name “sjclark76,” the extension purported to offer the ability to “trade crypto directly on X with real-time insights and seamless execution,” despite having only 12 installs when its malicious nature was exposed. It remained available for download at the time of the report.
The core of the attack lies in the extension’s ability to inject an extra transfer into every Solana swap transaction initiated by the user. According to security researchers at Socket, this hidden transfer siphons off a minimum of 0.0013 SOL or 0.05 percent of the total trade amount, directing the stolen funds to a specific, hardcoded attacker-controlled wallet. This mechanism is specifically triggered when a user performs a Raydium swap, Raydium being a popular decentralized exchange (DEX) on the Solana blockchain.
The malicious functionality is implemented through obfuscated code that comes to life during the swap process. Before the user is asked to sign the transaction, the extension quietly appends a hidden SystemProgram.transfer utility method to the transaction. The fee is calculated based on the trade size, with a minimum of 0.0013 SOL for smaller trades and 2.6 SOL plus 0.05 percent of the swap amount for trades exceeding 2.6 SOL. The attackers employed techniques like minification and variable renaming to conceal this behavior and avoid easy detection by security reviews.
Adding to its facade of legitimacy, the Crypto Copilot extension uses external communications with a backend hosted on the domain crypto-coplilot-dashboard.vercel[.]app to register connected wallets and fetch dummy information like points and referral data, as well as to report user activity. Furthermore, the scheme uses entirely legitimate services, such as DexScreener and Helius RPC, which are commonly used in the crypto space, to lend a convincing veneer of trust to the operation, despite the associated domains not hosting any real product.
The most notable aspect of this attack is the complete lack of disclosure to the user regarding the hidden platform fee. Users only see the expected details of their intended swap in the interface, remaining totally unaware of the appended, unauthorized transfer. Researchers emphasized that because the transfer is added silently and routed to a personal wallet rather than a standard protocol treasury, most users would never notice the theft unless they meticulously inspect every instruction within the transaction before signing. The entire surrounding infrastructure appears to have been designed solely to pass the Chrome Web Store review process while consistently siphoning small fees in the background.
Reference:
