Malicious Google Chrome extension "Crypto Copilot" steals Solana exchange funds by hiding additional transfers

According to a report by Cointelegraph, cybersecurity company Socket disclosed in a report released on Tuesday that a malicious Google Chrome extension named Crypto Copilot allows users to trade on the Solana blockchain through X social media posts while secretly siphoning fees from each transaction exchange into the creator's wallet.

The extension uses the decentralized exchange Raydium to execute exchange operations for users, while attaching a hidden transfer instruction that moves Solana coins from the user's account to the attacker's account. Unlike typical malware that attempts to steal the entire wallet balance, this extension siphons at least 0.0013 Solana coins (approximately 0.05% of the transaction amount) from each transaction. The user interface only displays transaction exchange details, and the wallet confirmation interface summarizes the transaction without showing specific instructions, leading users to believe they are only signing a transaction exchange when, in fact, they are simultaneously authorizing both the exchange and the fund transfer operations.

Although the extension has only accumulated 15 users since its release on June 18, 2024, it still exposes security vulnerabilities within the browser extension ecosystem.