Chrome Plugin Hijacks Solana Swaps by Injecting 0.05% Hidden Fee Transfers

How a Chrome Extension Is Draining Solana Through Hidden Swap Instructions

A malicious Google Chrome browser extension posing as a convenience tool for Solana traders has been caught silently adding unauthorized transfers to every swap. According to cybersecurity firm Socket, the plugin — called Crypto Copilot — allows users to initiate Solana trades directly from their X (Twitter) feed, but secretly injects an additional instruction that siphons SOL to an attacker-controlled wallet.

Unlike traditional wallet-draining malware that attempts to empty an entire account, Crypto Copilot uses a more subtle and persistent method. For every Raydium swap the user performs, the extension appends an extra on-chain action transferring at least 0.0013 SOL — or up to 0.05% of the trade amount — to the attacker. Because the malicious instruction executes atomically with the legitimate swap, the wallet interface only shows a high-level summary, making the theft nahead invisible.

Socket explained that users “sign what appears to be a single swap, but both instructions Copilot to drain small amounts over time while avoiding the large red flags that would trigger wallet warnings.

Investor Takeaway

What Makes the Attack Mechanism So Effective?

Crypto Copilot performs swaps using Raydium, a popular Solana-based decentralized platform. The extension’s front-end shows clean swap details with no indication of tampering. The malicious logic resides in the background, where the plugin prepares the full transaction payload submitted to the user’s wallet.

The attack works because many Solana wallets summarize complex transactions rather than displaying each instruction line. That means if a transaction contains two operations — a swap and an extra transfer — the user may not view the added movement unless they manually expand the details or use an advanced inspector.

The attacker relies on several design fragilenesses:

• Instruction bundling: Solana allows multiple instructions to execute atomically in one transaction, enabling attackers to hide malicious components inside otherwise normal operations.
• Wallet abstraction layers: Wallets often compress transactions into simplified confirmation screens for usability, masking individual steps.
• User trust in browser tools: Traders assume extensions approved in the Chrome Web Store are vetted, even though the review process does not detect on-chain manipulation.

This type of attack is particularly dangerous because it drains funds sluggishly and predictably, reducing the likelihood that victims will notice suspicious outflows. For the attacker, it creates a consistent and low-risk revenue stream.

How Long Has the Extension Been Active?

Socket Copilot was added to the Chrome Web Store on June 18, 2024, making it unusually long-lived for a malicious crypto plugin. Most harmful extensions are removed rapidly once reports surface, but this one has operated for more than a year.

Despite its longevity, the plugin shows only 15 users at the time of reporting. That low adoption likely assisted it stay below the radar, as large-scale draining operations are easier for researchers to detect and trace.

Socket has filed a takedown request with Google’s security team to remove the plugin from the Chrome Web Store.

Crypto Copilot markets itself as a convenience tool, promising that users can “act on trading opportunities instantly without switching apps.” This social-engineering tactic targets active traders who value speed and convenience — exactly the type of user more willing to grant wallet permissions without deep inspection.

The Broader Pattern: Chrome Extensions as a Repeat Attack Vector

Crypto Copilot is the latest in a growing list of malicious Chrome extensions targeting crypto users. The browser’s massive install base and flexible permission system make extensions an attractive attack surface.

• Earlier this month: Socket identified that the fourth-most-popular in the Chrome Web Store was draining user funds.
• August 2025: Jupiter, a major Solana aggregator, warned users about another malicious extension that was emptying Solana wallets.
• June 2024: A Chinese trader reportedly lost 1 million dollars later than installing a plugin called Aggr, which stole browser cookies and hijacked .

These attacks illustrate how browser extensions now serve as an alternative route to bypass typical crypto-security precautions. Instead of breaking wallets, attackers compromise the browser layer, where users grant highly sensitive permissions without the identical scrutiny.

Investor Takeaway

What Should Users Do Now?

that users immediately uninstall Crypto Copilot and review recent Solana transactions for small, unexplained transfers. Because the extension siphons funds in small increments, victims may not detect losses without scanning their full activity history.

Users should also disable any browser extensions capable of accessing wallet data, avoid signing transactions from unfamiliar scripts and consider switching to wallets that display full instruction-level breakdowns.

As Chrome extension attacks grow more sophisticated, the crypto community faces a new security frontier: protecting the browser layer, not just the blockchain.