Chrome Extension Caught Skimming Solana Trades - Users Unknowingly Paying Hacker Fee

A Google Chrome browser extension advertised as a shortcut for trading Solana directly from the X (Twitter) feed has been identified as malware, quietly siphoning funds from every transaction executed through it.

Key Takeaways

A malicious Chrome extension added hidden fees to every Solana swap and routed them to an attacker.
The plug-in has been live since June and marketed itself as a trading shortcut for X users.
Chrome extensions remain a high-risk environment for crypto transactions due to broad permissions and limited visibility into instructions users sign.

Cybersecurity firm Socket uncovered the scheme and reported that the extension — titled Crypto Copilot — inserts a hidden fee into each swap. Instead of draining entire wallets in a single hit (the hallmark of most Solana-focused malware), the attacker opted for a slower and less noticeable method: taking a small cut from every trade.

How the theft is carried out

Socket’s review of the code revealed that Crypto Copilot routes swaps through Raydium, a popular Solana DEX. But before users approve the transaction, the extension adds an extra instruction that funnels part of the trade — a minimum of 0.0013 SOL or roughly 0.05% of the swap value — to the attacker.

The extension relies on the fact that most users only review the high-level summary shown in the wallet approval window. Because both transfers execute in the same transaction, there is no visible indication that a second transfer is taking place.

Installed since June — barely noticed until now

Crypto Copilot has been available on the Chrome Web Store since June 18, 2024. According to the storefront listing, it has 15 active users, though the exact number affected by unauthorized transfers is unclear.

The extension marketed itself as a productivity upgrade — enabling Solana swaps without leaving the X interface — which likely helped it avoid early suspicion. Socket says it has already requested that Google remove the listing, but the plug-in remained accessible at the time of reporting.

Growing pattern of Chrome-based wallet theft

This is not an isolated case. Malicious Chrome extensions have become one of the most effective attack vectors targeting crypto users:

Earlier this month, Socket flagged another highly downloaded wallet extension that was draining funds.
In August, the Jupiter team warned Solana users about a Chrome plug-in that emptied wallets.
In June 2024, a Chinese trader reported losing $1 million after installing a malicious extension that harvested browser cookies and gained access to his Binance account.

Security researchers caution that Chrome extensions have become a preferred target because users often accept permission prompts without understanding the access being granted.