Share this article
Solana Traders Hit by Months-Long Browser Malware That Skimmed Every Swap
Wallet interfaces typically summarize instructions as a single swap, and the bundled transaction executes atomically—meaning users unknowingly sign off on both.
Updated Nov 28, 2025, 5:32 a.m. Published Nov 28, 2025, 5:03 a.m.
What to know:
- A Chrome extension called 'Crypto Copilot' secretly redirected fees from Solana trades to an attacker's wallet.
- The extension, flagged by cybersecurity firm Socket, was available on the Chrome Web Store since June.
- Users are advised to avoid closed-source extensions with signing privileges and move assets if they used Crypto Copilot.
A Chrome extension posing as a Solana trading assistant quietly siphoned fees from user swaps for months, using obfuscated transaction logic to route a slice of every trade to an attacker-controlled wallet.
Flagged by Cybersecurity firm Socket earlier this week, the ‘Crypto Copilot’ extension had been available on the Chrome Web Store since June as a convenience tool for traders on popular Solana DEX Raydium.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
However, Socket found it injected a second instruction into every Raydium swap — transferring either 0.0013 SOL or 0.05% of the trade amount to a hardcoded wallet.
The exploit relied on a simple mechanism of generating the correct Raydium swap instruction, then appending a hidden transfer.
This worked because wallet interfaces typically summarize instructions as a single swap, and the bundled transaction executes atomically — meaning users unknowingly sign off on both. Imagine ordering a burger through a fast-food app where the "confirm order" button actually bundles payment, receipt printing, and handing over your food and change—all in one seamless move.
On-chain flows suggest limited adoption so far, with only small amounts collected by the attacker. But the mechanism scales with size: trades above roughly 2.6 SOL trigger the 0.05% fee, meaning a 100 SOL swap would siphon 0.05 SOL, or about $10 at current prices.
Several other signals point to a hastily assembled infrastructure. The extension’s primary domain, cryptocopilot[.]app, is parked on GoDaddy, while its backend — crypto-coplilot-dashboard[.]vercel[.]app, complete with a misspelling — returns a blank page despite collecting wallet metadata.
Socket said it has submitted a formal takedown request to Google, though the extension remained live at the time of writing. It warned users to avoid closed-source extensions that request signing privileges and to migrate assets to fresh wallets if they interacted with Crypto Copilot.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Trump’s Security Strategy: Impact on Bitcoin, Gold, Bond Yields
The White House's new National Security Strategy emphasizes increased global fiscal expansion and military spending.
What to know:
- The White House's new National Security Strategy emphasizes increased global fiscal expansion and military spending.
- NATO allies are urged to raise defense spending to 5% of GDP, significantly higher than the previous 2% mandate.
- Heightened government borrowing could lead to higher bond yields and inflation, complicating interest rate cuts.
Top Stories
