A Chrome extension posing as a Solana trading assistant quietly siphoned fees from user swaps for months, using obfuscated transaction logic to route a slice of every trade to an attacker-controlled wallet.

Flagged by Cybersecurity firm Socket earlier this week, the ‘Crypto Copilot’ extension had been available on the Chrome Web Store since June as a convenience tool for traders on popular Solana DEX Raydium.

However, Socket found it injected a second instruction into every Raydium swap — transferring either 0.0013 SOL or 0.05% of the trade amount to a hardcoded wallet.

The exploit relied on a simple mechanism of generating the correct Raydium swap instruction, then appending a hidden transfer.

This worked because wallet interfaces typically summarize instructions as a single swap, and the bundled transaction executes atomically — meaning users unknowingly sign off on both. Imagine ordering a burger through a fast-food app where the "confirm order" button actually bundles payment, receipt printing, and handing over your food and change—all in one seamless move.

On-chain flows suggest limited adoption so far, with only small amounts collected by the attacker. But the mechanism scales with size: trades above roughly 2.6 SOL trigger the 0.05% fee, meaning a 100 SOL swap would siphon 0.05 SOL, or about $10 at current prices.

Several other signals point to a hastily assembled infrastructure. The extension’s primary domain, cryptocopilot[.]app, is parked on GoDaddy, while its backend — crypto-coplilot-dashboard[.]vercel[.]app, complete with a misspelling — returns a blank page despite collecting wallet metadata.

Socket said it has submitted a formal takedown request to Google, though the extension remained live at the time of writing. It warned users to avoid closed-source extensions that request signing privileges and to migrate assets to fresh wallets if they interacted with Crypto Copilot.