A fresh security warning has emerged for Solana traders after researchers uncovered a Chrome extension that secretly adds extra fees to user swaps. The extension, called Crypto Copilot, promotes fast trading directly from social media feeds. However, investigators found that it quietly inserts a hidden SOL transfer into each Raydium swap. Consequently, unsuspecting users lose a portion of their assets without any on-screen indication. This discovery raises broader concerns about browser-based trading tools and alerts traders to the risks associated with extensions that require broad signing permissions. Researchers Reveal Concealed Transfer Logic Socket’s Threat Research Team identified the behavior during a review of suspicious extensions linked to Solana activity. The extension appeared legitimate at first glance because it connects to well-known wallets and displays token data from DexScreener. However, researchers noticed that every swap generated two instructions instead of one. The extension builds the correct Raydium swap. It then appends another instruction that transfers a small amount of SOL to a single attacker-controlled wallet. The fee ranges from 0.0013 SOL to 0.05% of the trade amount. Moreover, the transfer does not appear in the interface. Typical wallet prompts summarize the full transaction as a single action, making it difficult for users to notice the additional instruction. Hence, the attacker collects fees in the background while the trader believes they are executing a normal swap. Convenience Pitch Concealed the Risks Crypto Copilot launched in June 2024 with a pitch that appealed to fast-moving Solana traders. The extension detects tokens mentioned in posts on X and offers a one-click swap button. It requests wallet-adapter permissions that look normal to anyone who trades often. Additionally, its interface presents speed and convenience as the primary features. However, none of its marketing mentions added fees or undisclosed transfers. The problematic code was hidden inside heavily obfuscated files. This raised concerns among analysts who noted that extensions offering instant trading often encourage users to sign transactions rapidly, making quiet extra instructions easier to miss. Broader Implications for Solana Users The extension remains online, and researchers have requested a takedown. Significantly, the incident highlights a wider trend. Browser extensions handling on-chain actions have grown more popular, but they also increase security exposure. Moreover, attackers now target Solana traders more often due to rising ecosystem activity. Hence, security teams advise users to review each transaction carefully, avoid unfamiliar extensions, and monitor for unusual transfer patterns.
