Beware of new malicious extensions! Crypto Copilot steals 0.05% of Solana users' assets from each transaction.

The Socket Threat Research Team recently discovered that a Chrome extension named Crypto Copilot has been continuously stealing funds from Solana traders since its launch in June 2024. This extension secretly adds extra instructions to each Raydium exchange transaction, transferring at least 0.0013 SOL or 0.05% of the transaction amount to a wallet controlled by the attacker. Currently, the extension is still operating online in the Chrome Web Store, and researchers have submitted a delisting request to Google but have not yet received confirmation of processing.

In-depth Analysis of Malicious Code Operation Mechanism

The Crypto Copilot extension conceals its malicious behavior through highly obfuscated JavaScript code, constructing two consecutive commands when a user performs a normal Raydium exchange operation. On the surface, the extension generates standard exchange commands, but in reality, a second transfer command is appended, transferring the user's funds to the attacker's wallet with the address Bjeida. This carefully designed dual-command structure allows users to see only legitimate exchange operations on the interface, while most wallet confirmation windows display only a high-level summary of the transaction rather than a complete list of commands.

(Source: Socket)

The charging logic of this extension is completely hard-coded within the program, following the principle of whichever is higher between the minimum fee and the proportional fee. Specifically, each transaction steals at least 0.0013 SOL, and when the transaction amount exceeds 2.6 SOL, a fee of 0.05% is charged. This tiered design ensures basic revenue for small transactions while allowing for higher profits in larger transactions, demonstrating the attacker’s meticulous consideration for maximizing profits.

Researchers found that the extension also hides malicious behavior through variable renaming and aggressive minimization compression, with the attacker's wallet address buried deep under irrelevant variable labels in the code package. In addition to the fund-stealing functionality, the extension regularly sends the connected wallet identifiers and activity data to a backend named crypto-coplilot-dashboard.vercel.app, which currently only displays a blank placeholder page, reflecting the roughness of the attacker's infrastructure.

Malicious Expansion Technology Features and Data Summary

Attack Method

• Target Network: Solana
• Target of attack: Raydium trading users
• Theft ratio: 0.05% or minimum 0.0013 SOL
• Concealment methods: order addition, code obfuscation

Technical Details

• Use hardcoded Helius API key for trading simulation
• Connect to the misspelled domain backend
• Hide malicious code by renaming variables

Scope of Impact

• Launch time: June 2024
• Current status: Available for download from the Chrome Store
• Data leak: Wallet identifier and transaction data

Industry Background and Trends of Browser Extension Attacks

By 2025, browser extensions have become one of the most persistent vectors for crypto attacks, a trend further confirmed by the Socket team's release of the Crypto Copilot analysis report. Looking back at the security incidents in July, over 40 malicious Firefox extensions were found impersonating mainstream wallet providers, including MetaMask, Coinbase, Phantom, OKX, and Trust Wallet. These counterfeit extensions directly harvest wallet credentials from users' browsers and transmit them to servers controlled by attackers.

Exchanges are responding to such threats increasingly quickly. OKX publicly issued a warning and submitted a complaint to relevant authorities after discovering a counterfeit plugin posing as an official wallet tool. This proactive response reflects the industry's heightened awareness of the dangers posed by browser extension attacks, but the loopholes in the extension review mechanism still allow malicious programs to thrive.

In terms of the scale of losses, CertiK data shows that of the 2.2 billion dollars stolen in the first half of 2025, vulnerabilities related to wallets accounted for as much as 1.7 billion dollars, while phishing incidents caused an additional loss of 410 million dollars. Although the overall security situation improved in October—PeckShield recorded only 15 security incidents that month with total losses of 18.18 million dollars, marking the lowest level of the year—the threat from browser extensions showed an upward trend.

User Protection Strategies and Risk Mitigation Recommendations

In the face of increasingly complex threats from browser extensions, Solana users and other crypto participants need to establish a multi-layered protection system. The primary principle is to carefully review extension permission requests, especially those that ask for access to all website data or input sensitive information. Before installation, developers' identities should be verified, user reviews and historical update records should be checked, and particular caution should be exercised with emerging tools that lack a track record.

Optimizing trading habits is equally crucial. Users should carefully check the complete transaction details in the wallet confirmation window before executing each transaction, rather than solely relying on the high-level summary. For Solana ecosystem users, it may be beneficial to use wallets that support transaction instruction parsing, as these tools can break down complex transaction instructions into more easily understandable components, helping to identify anomalous operations.

From a technical protection perspective, regularly reviewing installed browser extensions and promptly removing unnecessary or suspicious components is an effective preventive measure. Using a dedicated browser for cryptocurrency operations, isolated from daily browsing activities, can also significantly reduce risk exposure. Although hardware wallets cannot completely prevent such attacks, they can provide an additional layer of security for large assets, limiting the potential scale of losses.

The Urgent Need for Platform Responsibility and Industry Collaboration

The failure of the Chrome Web Store review mechanism was fully exposed in this incident. The Crypto Copilot extension was able to operate continuously for almost half a year since June without interruption, reflecting the platform's technical shortcomings in detecting malicious code. Although the Socket team has submitted a delisting request, Google's processing delays may lead to more users being harmed, and this response speed is severely mismatched with the security needs of the crypto industry.

From the perspective of industry self-regulation, Wallet providers need to take on more educational responsibilities. By improving the way information is displayed on the transaction confirmation interface and providing more intuitive risk warnings, users can better identify abnormal transactions. Mainstream wallets like Phantom have begun exploring transaction simulation features, showing users the expected outcomes of transactions before signing, which is particularly effective in detecting hidden instructions.

Regulatory coordination is also an important link in responding to expansion threats. Financial regulatory agencies in various countries should strengthen supervision of the browser extension market and establish a rapid communication mechanism with platform providers. At the same time, law enforcement agencies need to improve their technical capabilities for tracking on-chain funds so that they can quickly freeze the funds involved when malicious extensions are discovered, creating the possibility of recovering losses for victims.

Evolution of Security Threats and Construction of Ecological Defense Systems

The Crypto Copilot incident is not only an independent security warning but also the latest example of the ongoing evolution of browser extension threats. As the mainstreaming process of the crypto industry accelerates, the sophistication of attackers' techniques is continuously improving, ranging from simple phishing sites to complex code obfuscation. Defenders need to upgrade their response strategies at the same pace. For ordinary users, cultivating security awareness and prudent habits is the most effective shield; for industry participants, building a shared threat intelligence and rapid response mechanism is the cornerstone for ensuring healthy ecological development. In the foreseeable future, browser extensions will still be an important breakthrough point for attackers, and only through the triple efforts of user education, technological improvements, and regulatory collaboration can we take the initiative in this ongoing security offense and defense battle.