A deceptive malicious Chrome extension, known as Crypto Copilot, has been silently siphoning cryptocurrency from unsuspecting Solana traders. Discovered by security researchers, the extension, which boasts convenient trading features, was available on the Chrome Web Store since June 18, 2024, and managed to steal funds from hundreds of users. The extension presented itself as a tool to facilitate quick crypto swaps directly from the X social media platform, integrating with popular wallets like Phantom and Solflare and utilizing data from DexScreener and Raydium.
The deceptive nature of Crypto Copilot lies in its sophisticated, hidden mechanism for extracting fees. While offering a seamless user experience, the extension secretly injects an undisclosed transaction during every swap. This covert operation routes a portion of the user’s SOL, specifically a minimum of 0.0013 SOL or 0.05% of the total trade value, to a wallet controlled by the attackers. This theft occurred without any explicit user notification or consent, preying on the trust users placed in the seemingly legitimate trading tool.
Crypto Copilot’s Deceptive Attack Mechanism
Security analysts from Socket.dev detailed how the malicious Chrome extension manipulates transaction construction at the blockchain level to facilitate its illicit gains. When a user initiates a swap, Crypto Copilot constructs the legitimate trade instruction for the decentralized exchange, Raydium. However, it then silently appends a second, unauthorized instruction. This appended instruction, utilizing the SystemProgram.transfer command, diverts SOL from the user’s wallet directly to the perpetrator’s wallet address: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg730xQff7.
The trick lies in the user interface and typical wallet confirmation processes. The extension’s user interface only displays the details of the intended swap, creating a false sense of security. Furthermore, most wallet confirmation screens provide a summary of transactions rather than an in-depth breakdown of individual blockchain instructions. Consequently, users inadvertently approve what appears as a single, legitimate transaction, unaware that two distinct operations are executed on-chain simultaneously. This clever manipulation allows the extension to execute the fee theft without raising immediate suspicion from the user.
Beyond Fee Theft: Privacy Risks and Data Exfiltration
The malicious functionality of Crypto Copilot extends beyond mere fee extraction. Researchers also uncovered evidence that the extension exfiltrates users’ connected wallet public keys to a backend server located at crypto[.]copilot-dashboard[.]vercel[.]app/api/users. This unauthorized data collection constitutes a significant privacy violation, potentially exposing users to further risks and targeted attacks. The collected wallet addresses could be used to track user activity or identify targets for future phishing attempts or exploits.
Additionally, the extension was found to contain embedded Helius RPC API credentials. This exposure of sensitive infrastructure information escalates the security risks associated with the Crypto Copilot extension. Such credentials could grant attackers access to valuable data about the Solana network’s infrastructure, potentially enabling them to disrupt services or gain deeper insights into the ecosystem. The malicious code itself is heavily obfuscated within the assets/popup.js file, a common tactic to evade detection by security software and browser checks.
Despite these critical discoveries by security researchers, the listing for Crypto Copilot on the Chrome Web Store remained unchanged, with no warnings issued to potential users about the hidden charges or the background data collection occurring. The absence of immediate action from the platform underscores a persistent challenge in safeguarding users from sophisticated malicious extensions that can bypass existing security measures. Users who have installed the extension are strongly advised to remove it immediately and review their wallet activity for any unauthorized transactions.
The ongoing availability of such extensions highlights the continuous cat-and-mouse game between cybersecurity researchers and malicious actors. As the Solana trading ecosystem grows, so too do the opportunities for bad actors to exploit vulnerabilities and user trust. The next expected step is for Google to remove the extension from the Chrome Web Store, a process that may take time given the obfuscation of the malicious code. In the meantime, the Solana community remains vigilant, awaiting further updates on the extent of the damage and the development of more robust protection mechanisms against such sophisticated threats.