A malicious Chrome extension called Crypto Copilot lets users trade Solana directly from X but secretly skims a small portion of the transaction.
News
A malicious Google Chrome browser extension is letting users trade on Solana, while quietly skimming a fee from every swap into the creator’s wallet.
According to a Tuesday by cybersecurity company Socket, the Google Chrome extension allows users to trade on () from their X social media feed. Unlike typical wallet-draining malware that tries to steal the entire balance, Crypto Copilot “injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade,” Socket found.
On the back end, Crypto Copilot uses the Raydium to perform swaps for the user, but appends a second instruction that transfers SOL from the user to the attacker. The user interface only shows the swap details while wallet confirmation screens “summarize the transaction without surfacing individual instructions.”
“Users sign what appears to be a single swap, but both instructions execute atomically on-chain,“ Socket said.
Related:
A long-lived operation
Socket noted that it submitted a takedown request for the extension to the Chrome Web Store security team. The malicious extension is relatively long-lived, having been published on June 18, 2024, but the store reports that it only has 15 users at the time of writing.
Crypto Copilot markets itself as a convenience tool allowing Solana traders to execute swaps directly from Twitter. It promises “allowing you to act on trading opportunities instantly without the need for switching between apps or platforms.”
Related:
The latest of many malicious Google Chrome extensions
Google Chrome’s massive user base and extensible design have long made its extension ecosystem a target for crypto-focused scams. Earlier this month, Socket warned that the fourth-most-popular crypto wallet extension in the Chrome Web Store was . In late August, decentralized exchange aggregator Jupiter said it had identified another malicious Chrome extension that was .
In June 2024, a Chinese trader after installing a Chrome plugin called Aggr. That extension stole browser cookies to hijack accounts, including access to the trader’s Binance account.
Magazine:
