Ethical Hacking News
A new Chrome extension has been discovered that injects hidden Solana transfer fees into Raydium swaps, leaving users unaware of the additional costs incurred. Cybersecurity researchers are sounding the alarm, urging users to inspect their swap transactions closely to avoid falling prey to this malicious behavior.
Crypto Copilot, a malicious Chrome extension, has been discovered by cybersecurity researchers. The extension injects hidden Solana transfer fees into Raydium swaps without user consent or notification. The fee is calculated based on the amount traded and can range from 0.0013 SOL to 2.6 SOL plus 0.05% of the swap amount. Crypto Copilot communicates with a backend hosted on a custom domain to register connected wallets, fetch points, and report user activity. Users are unaware of the hidden platform fee and can only notice it by inspecting each instruction before signing.
THN Exclusive: A recent discovery by cybersecurity researchers has shed light on a malicious Chrome extension that has been injecting hidden Solana transfer fees into Raydium swaps. This sinister extension, dubbed Crypto Copilot, was first published on the Chrome Web Store by a user named "sjclark76" in May 2024 and has remained available for download despite garnering only 12 installs.
According to Socket security researcher Kush Pandya, behind the innocent-looking interface of Crypto Copilot lies a complex web of obfuscated code that silently injects an undisclosed SOL transfer into every Solana swap. This malicious behavior is achieved by appending a hidden SystemProgram.transfer util method to each swap before the user's signature is requested, and subsequently sends the fee to a hardcoded wallet embedded in the code.
The fee is calculated based on the amount traded, with a minimum of 0.0013 SOL charged for trades and 2.6 SOL and 0.05% of the swap amount if it's more than 2.6 SOL. To avoid detection, Crypto Copilot employs various techniques such as minification and variable renaming.
Furthermore, this malicious extension communicates with a backend hosted on the domain "crypto-coplilot-dashboard.vercel[.]app" to register connected wallets, fetch points and referral data, and report user activity. The domain, along with "cryptocopilot[.]app," does not host any real product, serving instead as a veneer of legitimacy.
What sets this attack apart is that users are completely kept in the dark about the hidden platform fee, with the user interface only displaying details of the swap. Moreover, Crypto Copilot leverages legitimate services like DexScreener and Helius RPC to lend it a veneer of trust.
"This transfer is added silently and sent to a personal wallet rather than a protocol treasury," noted Pandya. "Most users will never notice it unless they inspect each instruction before signing." The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.
In light of this discovery, cybersecurity experts are urging users to remain vigilant and inspect their swap transactions closely. With the rise of malicious browser extensions like Crypto Copilot, it's essential for users to prioritize their online security and stay informed about potential threats lurking in plain sight.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Hidden-Fee-in-Plain-Sight-The-Malicious-Chrome-Extension-Exposing-Raydium-Swaps-ehn.shtml
Published: Wed Nov 26 06:24:05 2025 by llama3.2 3B Q4_K_M
