Malicious Chrome extension siphons SOL from Solana swaps

High-volume Solana traders face increased risk as each swap performed through the extension includes a concealed payment to a hardcoded wallet.

A malicious Chrome extension is quietly inserting hidden SOL transfers into Raydium swaps, diverting fees to an attacker wallet without user awareness.

Security researchers have uncovered a malicious Chrome extension that secretly diverts SOL from users conducting swaps on the Solana blockchain. The extension, called Crypto Copilot, injects an undisclosed transfer into every Raydium transaction, quietly routing funds to a hardcoded attacker wallet.

The tool presents itself as a convenience app that enables Solana swaps directly from X posts, connecting to wallets such as Phantom and Solflare. Behind the interface, the code appends a hidden SystemProgram.transfer instruction to each transaction.

The fee is set at either 0.0013 SOL or 0.05% of the trade amount, whichever is higher, and remains invisible unless the user inspects the complete instruction list.

External services lend the app legitimacy, utilising DexScreener data, Helius RPC calls, and a backend dashboard that provides no actual functionality. Researchers warn that the disposable infrastructure, misspelt domains, and obfuscated code point to clear malicious intent, not an unfinished product.

On-chain analysis indicates limited gains for attackers so far, likely due to the low distribution. The mechanism, however, scales directly with swap volume, placing high-frequency and large-volume traders at the most significant risk.

Security teams are urging users to avoid closed-source trading extensions and to scrutinise Solana transactions before signing.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot