Malicious Chrome Extension Secretly Steals From Solana Traders

The malicious tool, called “Crypto Copilot,” tricks users into thinking they’re using a helpful trading app while secretly taking a cut from every transaction.

Security researchers at Socket published their findings on November 25, 2024. The extension has been active since June 18, 2024, making it one of the longest-running crypto scams on Google’s Chrome Web Store.

How the Scam Works

Crypto Copilot markets itself as a convenient trading tool that lets users buy and sell Solana tokens directly from their Twitter feeds. The extension promises “instant trading” without switching between different apps or websites.

But behind this helpful appearance lies a sophisticated theft mechanism. Every time a user makes a trade through the extension, it secretly adds an extra transaction that sends money to the attacker’s wallet.

The extension steals either 0.0013 SOL (minimum amount) or 0.05% of the trade amount, whichever is larger. For trades exceeding 2.6 SOL, the fee becomes 0.05% of the swap amount.

Source: SocketSecurity

The stolen funds go to a specific wallet address: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7. According to blockchain records, the attacker has only collected a small amount so far because the extension hasn’t attracted many users.

Advanced Hiding Techniques

What makes this scam particularly dangerous is how well it hides the theft. The extension uses Raydium, a legitimate Solana trading platform, to process the actual trades. This makes everything look normal to users.

The malicious code is hidden using advanced techniques like minification and variable renaming, making it nearly impossible for regular users to detect. When users approve a transaction, their wallet shows what appears to be a single trade. In reality, two transactions happen at the same time – the legitimate trade and the hidden theft.

Most Solana wallets show simplified transaction summaries instead of detailed breakdowns. This design choice, meant to make wallets easier to use, actually helps hide the scam from users.

The extension also connects to fake websites designed to look legitimate. The backend domain “crypto-coplilot-dashboard.vercel.app” loads only a blank page, and the main website “cryptocopilot.app” is parked by GoDaddy. These red flags should warn users that something isn’t right.

Part of a Growing Problem

Crypto Copilot isn’t the first malicious Chrome extension targeting cryptocurrency users. In August 2024, Jupiter, a major Solana trading platform, warned users about a dangerous extension called “Bull Checker” that was completely draining wallets rather than skimming small amounts. Separately, security researchers have found other fake wallets ranking high in Chrome Web Store search results.

In June 2024, a Chinese trader lost $1 million after installing a Chrome extension called “Aggr.” That extension stole browser cookies and hijacked accounts on centralized exchanges like Binance.

Recent research found 186 malicious cryptocurrency extensions out of 3,599 analyzed over 18 months. These fake tools have stolen over $1 million worth of cryptocurrency from unsuspecting users.

The problem is getting worse as more people use browser extensions for cryptocurrency trading. Chrome’s massive user base and flexible permission system make it an attractive target for scammers.

Why Solana Users Are Vulnerable

Solana’s technical design makes it easier for scammers to hide malicious transactions. The network allows multiple actions to happen in a single transaction, which attackers use to bundle legitimate trades with hidden thefts.

Many Solana users also trade meme coins and other fast-moving tokens, making them more likely to use tools that promise quick, convenient trading. This urgency can lead people to install extensions without carefully checking their legitimacy.

The extension specifically targets users following token discussions on Twitter, where crypto trading happens at a rapid pace. The promise of “one-click trading” appeals to traders who don’t want to miss opportunities while switching between different platforms.

How to Stay Safe

Security experts recommend several steps to protect against malicious extensions:

First, always review transaction details before approving them. Look for unexpected transfers or instructions that don’t match what you intended to do. On Solana, check for any SystemProgram.transfer instructions you didn’t expect.

Second, only install extensions from verified developers with good reputations. Avoid downloading extensions that request excessive permissions, especially the ability to read and modify all website data.

Third, if you’ve already installed Crypto Copilot, move your cryptocurrency to a new, clean wallet immediately. Also revoke all website connections for your old wallet to prevent further unauthorized access.

The extension was published by a user named “sjclark76” and currently has only 15-18 users with a one-star rating on the Chrome Web Store. Socket submitted a takedown request to Google, but the extension remained available as of late November 2024.

Users should also be skeptical of extensions that promise unrealistic convenience or profits. Legitimate trading tools typically require users to visit actual trading platforms rather than offering shortcuts through browser extensions.

The Bottom Line

The Crypto Copilot scam shows how cryptocurrency thieves are becoming more sophisticated. Instead of trying to steal entire wallets at once, they’re now using subtle, long-term strategies that are harder to detect.

This approach is particularly dangerous because victims might not notice small amounts being stolen over time. For active traders, these tiny thefts can add up to significant losses over weeks or months.