Solana Chrome extension ’Crypto Copilot’ secretly diverts funds from Raydium swaps

Published: 2025-11-28 07:37:28 |

Crypto Copilot, a malicious Chrome extension targeting Solana users, was found to insert a hidden SystemProgram.transfer instruction into Raydium swap transactions that diverts a small portion of each trade to an attacker-controlled address. Security firm Socket’s analysis shows the extension takes roughly 0.05% of each swap (minimum ~0.0013 SOL) by appending a concealed transfer to the on‑chain payload while the extension UI only displays the primary swap. The extension used code obfuscation (minification and renamed variables) and phoned home to a backend dashboard (crypto-coplilot-dashboard.vercel.app) to register wallets and report activity. Published to the Chrome Web Store in mid‑2024, Crypto Copilot had low install numbers but demonstrates a stealth siphoning technique that could cause meaningful cumulative losses for frequent traders. Traders should verify extension authenticity, inspect all transaction instructions in wallet confirmations before approving, remove unfamiliar browser extensions, and follow security researchers’ advisories. Keywords: Solana extension, Crypto Copilot, hidden transfer, Raydium, SystemProgram.transfer, wallet security.

Bearish

The exploit directly targets Solana (SOL) swaps by siphoning a small percentage of each trade. Though the per-swap amount (≈0.05% or ≥0.0013 SOL) is small, frequent traders and high-volume users could incur cumulative losses. The immediate market reaction for SOL is likely negative but limited: low install numbers and the small size of each theft reduce systemic risk, so price impact should be modest short‑term as confidence hits among users of browser-based tools. Longer term, repeated incidents of malicious extensions would increase perceived custodial/UX risk around Solana dApps and browser tooling, which could suppress on-chain swap volume and put downward pressure on SOL demand among retail traders. Overall: short-term modest bearish sentiment driven by security concerns and potential reduction in trading activity; long-term risk depends on responses from marketplaces, wallet UIs, and extension stores to mitigate such attacks.