Solana browser extension ‘Crypto Copilot’ exposed for diverting user funds in secret trades

Chrome Solana extension ‘Crypto Copilot’ covertly diverts user funds in swaps, highlighting browser crypto security risks.

A Chrome browser extension designed for Solana cryptocurrency trading secretly diverts funds from users by embedding hidden transfer instructions in swap transactions, according to a report from cybersecurity firm Socket’s Threat Research Team.

The extension, named Crypto Copilot, enables users to trade SOL (SOL) tokens directly from X, formerly known as Twitter, while covertly redirecting a portion of each transaction to an attacker-controlled wallet, Socket reported. Each swap executed through the extension includes a concealed instruction transferring 0.05 percent of the transaction value, or a minimum of 0.0013 SOL, to a hardcoded wallet address.

Published on the Chrome Web Store in mid-2024, Crypto Copilot markets itself as a tool for instant Solana trading, according to the report. Users view only the primary swap transaction on confirmation screens, which summarize the transaction without disclosing the additional transfer instruction, Socket stated.

The extension employs obfuscation techniques including code minification and variable renaming to conceal the malicious behavior, according to the cybersecurity firm. The software communicates with a backend server hosted at crypto-coplilot-dashboard.vercel.app, where it registers connected wallets, tracks user activity, and reports referral data, the report said.

A second domain associated with the extension, cryptocopilot.app, remains parked and non-functional. Socket noted that the absence of an operational dashboard is inconsistent with legitimate trading platforms.

Crypto Copilot utilizes Raydium, an automated market maker on the Solana blockchain, to execute swaps. The extension appends a hidden SystemProgram.transfer instruction to each trade, completing atomic on-chain transfers that divert funds while users approve what appears to be a single transaction, according to the report.

Solana browser extension Crypto Copilot studied by Socket

Although installation numbers remain low, Socket warned that cumulative losses pose significant risks for frequent traders. Incremental fund diversions may accumulate undetected, illustrating broader security threats posed by browser-based cryptocurrency tools, the firm stated.

Previous incidents have involved malicious Chrome and Firefox extensions targeting cryptocurrency wallets including MetaMask, Phantom, and Coinbase, according to industry reports.

The incident highlights vulnerabilities in browser-based cryptocurrency security and the importance of transaction verification before approval, Socket stated. As browser-based tools increasingly integrate cryptocurrency trading functionality, enhanced monitoring and oversight of Chrome’s extension ecosystem may be necessary to protect decentralized finance users, the report concluded.

Solana traders are advised to verify extension legitimacy, review transaction instructions in detail, and monitor updates from cybersecurity researchers, according to Socket.