In response to a latest report, the “Crypto Copilot” Chrome extension is siphoning SOL from anybody who installs it.
The extension pretends to be a buying and selling helper for Solana customers, letting you execute swaps immediately from X (Twitter) posts.
On the floor, it seems to be completely regular: it connects to straightforward wallets, exhibits DexScreener value knowledge, and routes swaps by means of Raydium, Solana’s largest AMM.
However beneath that UI, it secretly injects an additional instruction into each transaction you signal.
The way it works
The extension quietly attaches a second instruction behind the scenes: a tiny, hidden SOL switch to the attacker’s private pockets.
You by no means see it within the UI. Wallets like Phantom solely present a abstract except you manually broaden the instruction checklist. So most customers by no means discover an outbound switch buried inside the identical transaction.
The fee-extraction code itself is straightforward: it calculates both a tiny fastened price or a tiny share of the commerce, converts it to lamports, after which quietly provides a second instruction to the transaction that sends that quantity to the attacker’s pockets.
What makes it harmful is that this logic is buried inside closely obfuscated JavaScript. On the floor, the UI seems to be fully legit, exhibiting solely the anticipated Raydium swap.
The extension additionally connects to a backend area with a typo, which information pockets IDs, tracks exercise, and pretends to supply “factors” and referrals though the precise web site is empty and non-functional.
On-chain, the theft seems to be like tiny, odd SOL transfers sitting subsequent to legit swaps. Therefore, except somebody inspects directions fastidiously or is aware of the attacker’s deal with, it blends in.. The price is deliberately sufficiently small to be ignored within the second.