Crypto Copilot Extension Exposed for Secretly Draining Solana Wallets

TLDR

• Crypto Copilot stole SOL through hidden swap instructions in user wallets.
• Malicious extension rerouted tiny amounts per trade undetected for months.
• Experts warn high-volume Solana traders faced amplified hidden losses.
• Obfuscated code masked secret transfers, bypassing swap approval screens.
• Extension exposed—users urged to revoke access and move crypto immediately.

A new report revealed that Crypto Copilot injected unauthorized transfer instructions into Solana swaps for months, silently diverting funds from wallets. The Chrome extension appeared legitimate but embedded malicious code that rerouted a portion of each transaction to an attacker-controlled address. Analysts confirmed that the behavior remained concealed during transaction approval, raising significant concerns over browser-based crypto tools.

Crypto Copilot Extension Exposed for Secretly Draining Solana Wallets

Crypto Copilot operated as a trading assistant, allowing users to execute swaps directly through browser wallets. It consistently inserted a second instruction into Raydium transactions, transferring either 0.0013 SOL or 0.05% of the trade value to a hardcoded wallet. Users unknowingly approved these actions because transaction summaries displayed only the main swap.

Investigators stated that Crypto Copilot collected public wallet data and interacted with servers, although the backend displayed no functional dashboard. The extension used obfuscated JavaScript to conceal the malicious process, making detection difficult through standard inspection. In addition, the primary associated domain remained parked, which suggested limited or incomplete backend infrastructure.

Cybersecurity experts linked Crypto Copilot to a wider pattern of browser extension attacks targeting wallet transactions. They emphasized that incremental fund siphoning accumulated over time, particularly in large-volume swaps. Consequently, frequent Solana traders faced greater risk due to repetitive exposure.

Solana-Based Swaps Manipulated Through Atomic Transactions

The extension used Raydium protocols to build legitimate swap instructions and then appended the hidden transfer. Each confirmed transaction executed atomically, which granted Crypto Copilot the ability to siphon funds without separate approval. As a result, users unknowingly signed transactions that bundled both swap execution and token transfer.

On-chain data suggested limited adoption; however, the exploit scaled in proportion to trade size. For example, a 100 SOL swap resulted in a diversion of 0.05 SOL. High-volume activity amplified potential losses despite low installation numbers.

Crypto Copilot integrated smoothly with popular wallet interfaces, further masking its hidden transfer feature. The interface appeared safe, but users could not easily view underlying instructions. Collected wallet metadata flowed to attacker-operated servers, further heightening security concerns.

Browser-Based Crypto Tools Under Scrutiny

The exposure of Crypto Copilot raised concerns over security practices within the Chrome extension ecosystem. Experts recommended reviewing installed extensions, moving assets to hardware wallets, and inspecting blockchain transactions before authorization. They also advised immediate fund migration to new wallets for users who interacted with the extension.

Past incidents involved malicious extensions targeting tools such as Phantom, MetaMask, and Coinbase wallets. Crypto Copilot demonstrated how small, concealed instructions can escape user scrutiny during transaction approval. Industry specialists called for enhanced monitoring of browser-based trading tools as decentralized finance adoption increases.

The post Crypto Copilot Extension Exposed for Secretly Draining Solana Wallets appeared first on CoinCentral.