Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Crypto Copilot Chrome extension hidden Solana fee injection

Malware Activity
First reported
Last updated
Happening score
H score 0
1 unique sources, 1 articles

Summary

Hide ▲

The Crypto Copilot Chrome extension was found injecting a hidden Solana transfer into Raydium swaps, silently siphoning trade funds to an attacker-controlled wallet. The extension was published on the Chrome Web Store and had 12 installs, meaning the fee theft was available to real users. It also used obfuscation plus legitimate services like DexScreener and Helius RPC to disguise the behavior.

Related Happenings

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Chrome extension campaign

Campaign
First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

QuickLens - Search Screen with Google Lens hit by network compromise

Incident
First: 28.02.2026 21:18 Last: 28.02.2026 21:18 Sources 1

About this happening: The **QuickLens - Search Screen with Google Lens** Chrome extension was **compromised** and used to **push malware** to about **7,000 users**, creating risk of **credential theft*...

Open Happening

Timeline

  1. 26.11.2025 13:10 1 articles · 6mo ago

    Crypto Copilot published on the Chrome Web Store

    Untyped Phase

    Crypto Copilot was published on the Chrome Web Store under the developer name "sjclark76" on May 7, 2024. The listing advertised the browser add-on as a way to trade crypto directly on X with real-time insights and seamless execution, and it had 12 installs.

    Show sources
    Open in new tab
  2. 26.11.2025 13:10 2 articles · 6mo ago

    Researchers describe hidden Solana fee injection in Crypto Copilot

    Technical Analysis Update

    Socket security researcher Kush Pandya said Crypto Copilot injects an extra transfer into each Solana swap on Raydium by appending a hidden SystemProgram.transfer before the user's signature is requested, then sends a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet. The extension also uses minification and variable renaming to hide the behavior and connects to crypto-coplilot-dashboard.vercel[.]app, cryptocopilot[.]app, DexScreener, and Helius RPC to create a veneer of legitimacy.

    Show sources
    Open in new tab