Malicious Chrome extensions secretly siphon fees from Solana traders for months.

Source: PortaldoBitcoin Original Title: Chrome Extension Diverts Solana Traders' Fees for Months Original Link: A Chrome extension, marketed as a convenient trading tool, has been secretly siphoning off Solana (SOL) from users' transactions since last June, injecting hidden fees into each transaction while masquerading as a legitimate Solana trading assistant.

The cybersecurity company Socket discovered the malicious extension Crypto Copilot during its “continuous monitoring” of the Chrome Web Store, as reported by security engineer and researcher Kush Pandya.

In an analysis of the malicious extension, Pandya wrote that the Crypto Copilot silently adds an extra transfer instruction to each Solana swap transaction, extracting a minimum of 0.0013 SOL or 0.05% of the transaction value to a wallet controlled by the attacker.

“Our AI scanner flagged several indicators: aggressive code obfuscation, a Solana address embedded in the transaction logic, and discrepancies between the declared functionality of the extension and the actual behavior of the network,” said Pandya, adding that “these alerts triggered a deeper manual analysis that confirmed the hidden fee extraction mechanism.”

The research points to risks in browser-based crypto tools, particularly extensions that combine integration with social media and transaction signing features.

The extension remained available on the Chrome Web Store for months, with no warning to users about the undisclosed fees, hidden in highly obfuscated code, the report claims.

“The behavior of the rates is never disclosed on the extension page in the Chrome Web Store, and the logic that implements it is hidden in a highly obfuscated code,” noted Pandya.

Every time a user swaps tokens, the extension generates the correct Raydium swap instruction, but discreetly adds an extra transfer directing SOL to the attacker's address.

Raydium is a decentralized exchange and automated market maker based on the Solana cryptocurrency, while a “Raydium exchange” simply refers to the swapping of one token for another through its liquidity pools.

Users who installed Crypto Copilot, believing it would simplify their trading with Solana, have unknowingly been paying hidden fees with each swap, fees that never appeared in the marketing materials of the extension or in the listing on the Chrome Web Store.

The interface only shows the details of the exchange, and wallet pop-ups summarize the transaction, so users sign what appears to be a single exchange, even though both instructions are executed simultaneously on the blockchain.

The attacker's wallet has received only small amounts so far, a sign that the Crypto Copilot has not yet reached many users, and not an indication that the vulnerability is of low risk, as reported.

The fee mechanism is proportional to the size of the transaction. For swaps below 2.6 SOL, a minimum fee of 0.0013 SOL applies, and above this limit, a percentage fee of 0.05% comes into effect. This means that a swap of 100 SOL would charge 0.05 SOL, approximately $10 at current prices.

The main domain of the extension is registered on GoDaddy, while the backend only displays a blank page, despite collecting wallet data, according to the report.

A Socket sent a removal request to the security team of Google's Chrome Web Store, although the extension remained available at the time of publication.

The platform recommends that users review each instruction before signing transactions, avoid closed-source trading extensions that request signing permissions, and migrate their assets to clean wallets if they have installed Crypto Copilot.

Malware Patterns

Malware continues to be an increasing concern for cryptocurrency users. In September, a malware variant called ModStealer was discovered targeting cryptocurrency wallets on Windows, Linux, and macOS systems through fake job recruitment advertisements, managing to evade detection from major antivirus programs for nearly a month.

The technology director of a wallet platform, Charles Guillemet, had already warned that attackers had compromised a developer account on NPM, with malicious code attempting to quietly swap cryptocurrency wallet addresses during transactions across multiple blockchains.