- Trending
- Comments
- Latest
A malicious Chrome extension called Crypto Copilot secretly skimmed 0.05% from Solana users’ token swaps by embedding hidden transfer instructions that redirected funds to an attacker-controlled wallet, according to security firm Socket.
The extension, which marketed itself as a tool for trading SOL directly from X (formerly Twitter), concealed the unauthorized transactions from users during the confirmation process. Socket’s Threat Research Team discovered the scheme after analyzing the extension’s obfuscated code.
The Solana browser was promoted as a tool that allowed users to trade SOL directly from X (formerly Twitter).
But according to Socket, the extension displayed only the primary transaction on confirmation screens—carefully omitting any reference to the hidden transfer instruction embedded in its code.
“This is a textbook example of a silent skimming operation, and it’s particularly dangerous because users believe browser extensions are trustworthy,” said Zane Bond, Director of Product Management at Socket (as cited in the report).
Bond added, “Crypto Copilot exploited the one place users rarely inspect—browser-initiated blockchain instructions.”
To avoid detection, the Solana browser extension used heavy code obfuscation, including variable renaming and minification, making it harder for analysts and developers to identify the malicious logic.
The extension communicated with a backend server hosted at crypto-copliIot-dashboard.vercel.app, according to the report, logging wallet data, user activity, and referral information.
Socket researchers found that the extension was tied to a second domain, cryptocopilot.app, which appears parked and non-functional.
While not inherently malicious, Socket emphasized that legitimate Solana trading tools always provide active dashboards or transparency portals—something the Solana browser extension conspicuously lacked.
“The absence of a working dashboard raises major red flags,” said Patrick Wardle, renowned Apple and browser security researcher. “If a platform handling real assets has no functional user interface, it’s almost certainly hiding something.”
Published quietly on the Chrome Web Store in mid-2024, Crypto Copilot quickly gained traction among Solana users due to its convenience messaging.
However, this incident has intensified scrutiny over the proliferation of browser-based crypto tools, especially those offering wallet integration or direct swap functionality.
Industry voices warn that the Solana browser extension scandal underscores a larger trend.
“Browser extensions have become the new attack surface for crypto theft,” noted Chris Blec, decentralized finance analyst. “The Crypto Copilot case is a wake-up call for the entire Solana ecosystem.”
The exposure of this malicious Solana browser highlights a critical need for users to avoid Chrome extensions that interact directly with blockchain transactions unless endorsed by reputable entities.
Solana developers and analysts are now urging users to inspect their connected extensions and revoke permissions to Crypto Copilot immediately.
Cybersecurity firm Socket recommended that users “treat browser extensions as potential custodians of your assets—because many of them are.”
In the end, the Solana browser extension scandal surrounding Crypto Copilot is a stark reminder that not every tool is what it claims to be.
As more users rethink their trust in any Solana browser extension, security experts insist the ecosystem must evolve. Until then, treating every Solana browser extension with deep caution is the only safe move.
