Crypto Copilot. Source: Chrome Web Store
Socket researchers identified a malicious Chrome extension that manipulates Raydium swaps.
The latest threat targeting cryptocurrency users has emerged with surgical precision, and it’s happening in your browser.
This is a sophisticated attack method where malicious Chrome extensions are injecting hidden transfer fees into legitimate Solana transactions, allowing criminals to siphon funds without users even realizing they’ve been robbed.
Socket researchers identified the extension. What makes this attack particularly insidious is that victims sign the transactions themselves, completely unaware that hidden transfer instructions have been embedded within legitimate Raydium and Jupiter operations.
Socket’s Threat Research Team has outlined all the details.
It discovered the malicious Chrome extension Crypto Copilot, published on June 18, 2024, which markets itself as a tool to “execute trades instantly from your X feed.” Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet. The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code.
When a user performs a swap, Crypto Copilot builds the expected Raydium swap instruction, then quietly appends a second instruction that transfers SOL from the user to Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7.
The UI shows only the swap details. Wallet confirmation screens typically summarize the transaction without surfacing individual instructions. Users sign what appears to be a single swap, but both instructions execute atomically on-chain.
Socket says the extension remains available at the time of writing. It has helpfully submitted a takedown request to Google’s Chrome Web Store security team.
Six months ago, a single malicious Chrome extension called “Aggr” successfully stole $1 million from one victim. This devastating attack exposed how easily criminals can manipulate network requests, modify page content, and access sensitive browser data including cookies and storage with just the right permissions.
The cryptocurrency ecosystem has become ground zero for extension-based attacks. Research published just last month revealed that 186 malicious cryptocurrency-themed extensions were identified out of 3,599 analyzed over 18 months. These malicious tools have already funneled over $1 million worth of cryptocurrencies into attacker-controlled wallets during their operational lifespans. These extensions evade detection from 84.4% of leading antivirus engines and remain available in extension stores for over a month in 73.1% of cases.
Criminals have evolved beyond simple phishing attempts – they’re now infiltrating the very tools users trust most.
Earlier this year, criminals began creating pixel-perfect clones of legitimate platforms like Raydium to deceive users. These fake sites promote non-existent “airdrops” of RAY tokens and other Solana-based cryptocurrencies, executing malicious JavaScript code the moment users connect their wallets.
During the summer surge of meme coin trading, the “Bull Checker” extension specifically targeted Reddit users interested in meme coin trading, with an anonymous user called “Solana_OG” promoting the tool across Solana subreddits. The extension requested excessive permissions to read and change all data on websites – far beyond what a legitimate read-only tool would require. Airdrop drainer scams alone caused $780 million in losses during 2024, highlighting the massive scale of this threat.
The implications extend far beyond individual losses. Even major platforms like Raydium have suffered devastating attacks, with one incident nearly two years ago resulting in approximately $5.5 million stolen when attackers compromised admin private keys through trojan malware.
Extensions targeting less popular cryptocurrencies like Monero and MintCoin demonstrate that no digital asset is safe.
Users must immediately audit their installed Chrome extensions, verify URLs before connecting wallets, and recognize that legitimate platforms will never request excessive browser permissions for basic functionality.
In other cybersecurity news, researchers say Russia’s Gamaredon and North Korea’s Lazarus may be sharing infrastructure — a rare APT collaboration.
