A malicious Google Chrome browser extension is letting users trade on Solana, while quietly skimming a fee from every swap into the creator’s wallet.
According to a Tuesday report by cybersecurity company Socket, the Google Chrome extension allows users to trade on Solana (SOL) from their X social media feed. Unlike typical wallet-draining malware that tries to steal the entire balance, Crypto Copilot “injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade,” Socket found.
On the back end, Crypto Copilot uses the decentralized exchange Raydium to perform swaps for the user, but appends a second instruction that transfers SOL from the user to the attacker. The user interface only shows the swap details while wallet confirmation screens “summarize the transaction without surfacing individual instructions.”
“Users sign what appears to be a single swap, but both instructions execute atomically on-chain,“ Socket said.
Related: 5 ‘insidious’ crypto scams to watch out for this year
A long-lived operation
Socket noted that it submitted a takedown request for the extension to the Chrome Web Store security team. The malicious extension is relatively long-lived, having been published on June 18, 2024, but the store reports that it only has 15 users at the time of writing.
Crypto Copilot markets itself as a convenience tool allowing Solana traders to execute swaps directly from Twitter. It promises “allowing you to act on trading opportunities instantly without the need for switching between apps or platforms.”
Related: NPM supply-chain attack compromises major ENS and crypto libraries
The latest of many malicious Google Chrome extensions
Google Chrome’s massive user base and extensible design have long made its extension ecosystem a target for crypto-focused scams. Earlier this month, Socket warned that the fourth-most-popular crypto wallet extension in the Chrome Web Store was draining user funds. In late August, decentralized exchange aggregator Jupiter said it had identified another malicious Chrome extension that was emptying Solana wallets.
In June 2024, a Chinese trader reportedly lost $1 million after installing a Chrome plugin called Aggr. That extension stole browser cookies to hijack accounts, including access to the trader’s Binance account.
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack
