Malicious Chrome Extension Crypto Copilot Injects Hidden Solana Transfer Fees

First reported

26.11.2025 13:10

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A malicious Chrome extension named Crypto Copilot has been discovered injecting hidden Solana (SOL) transfer fees into Raydium swap transactions. The extension, available on the Chrome Web Store, siphons a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The extension remains available with 12 installs as of November 2025, and its malicious behavior is concealed through obfuscation techniques. The extension communicates with a fake backend domain and uses legitimate services to appear trustworthy, while silently transferring fees to the attacker's wallet without user awareness.

Timeline

26.11.2025 13:10 1 articles · 23h ago

Malicious Chrome Extension Crypto Copilot Injects Hidden Solana Transfer Fees
A malicious Chrome extension named Crypto Copilot has been discovered injecting hidden Solana (SOL) transfer fees into Raydium swap transactions. The extension, available on the Chrome Web Store, siphons a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The extension remains available with 12 installs as of November 2025, and its malicious behavior is concealed through obfuscation techniques. The extension communicates with a fake backend domain and uses legitimate services to appear trustworthy, while silently transferring fees to the attacker's wallet without user awareness.
Show sources

Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps — thehackernews.com — 26.11.2025 13:10
Open in new tab

Information Snippets

The Crypto Copilot extension was published on May 7, 2024, by a user named 'sjclark76'.
First reported: 26.11.2025 13:10

1 source, 1 article
Show sources
- Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps — thehackernews.com — 26.11.2025 13:10
The extension injects a hidden Solana transfer into every Raydium swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount.
First reported: 26.11.2025 13:10

1 source, 1 article
Show sources
- Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps — thehackernews.com — 26.11.2025 13:10
The malicious behavior is concealed using obfuscation techniques like minification and variable renaming.
First reported: 26.11.2025 13:10

1 source, 1 article
Show sources
- Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps — thehackernews.com — 26.11.2025 13:10
The extension communicates with a backend domain 'crypto-coplilot-dashboard.vercel[.]app' to register wallets and report user activity.
First reported: 26.11.2025 13:10

1 source, 1 article
Show sources
- Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps — thehackernews.com — 26.11.2025 13:10
The extension uses legitimate services like DexScreener and Helius RPC to appear trustworthy.
First reported: 26.11.2025 13:10

1 source, 1 article
Show sources
- Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps — thehackernews.com — 26.11.2025 13:10