Solana Extension ‘Crypto Copilot’ Caught Redirecting User Funds Through Secret Trades

According to a study from cybersecurity company Socket’s Threat Research Team, a Chrome browser extension called “Crypto Copilot” that was made for trading Solana has been caught secretly stealing user funds by putting hidden transfer instructions in swap transactions.

The application, which was advertised as a method to trade directly from X (previously Twitter), was found to send a percentage of every swap to a wallet controlled by an attacker without users knowing.

Socket’s research demonstrates that every swap made using Crypto Copilot has an extra hidden instruction that sends 0.05% of the value of the transaction, or at least 0.0013 SOL, to a hardcoded wallet address.

The confirmation screen only shows users the main swap transaction. It gives a summary of the deal without showing the extra transfer that is hidden in the transaction payload.

The Hidden Mechanics Behind Secret Transfers

According to reports, the extension hides its poor logic with a number of obfuscation techniques, such as minified code and renamed variables, to make it harder to check by hand. Crypto Copilot talks to a backend server at crypto-coplilot-dashboard.vercel.app. This server keeps track of connected wallets, user activity, and referral data.

Investigators found a second related site, cryptocopilot.app, which is still parked and not working. This is something that Socket was not normal for legitimate trading platforms. The article says that the extension’s boasts of being a full-featured trading assistance are hurt by the fact that it doesn’t have a working dashboard.

Using Raydium and On-Chain Tricks

The results show that Crypto Copilot uses , an automated market maker on the Solana blockchain, to route trades so that swaps happen as planned.

But the update adds a hidden SystemProgram.transfer command to each transaction. This lets atomic on-chain transfers happen, which take money while users approve what appears to be a simple swap.

This architecture lets the attacker withdraw modest sums from multiple trades without raising any visible red flags for most users, especially those who only look at high-level confirmation summaries rather than the full transaction data. Socket stressed that these small losses can add up to large losses over time, especially for traders who trade a lot.

More Risks in Crypto Tools That Work in Browsers

Even though Crypto Copilot’s user base is still modest, this case shows that browser extensions that work with crypto wallets and DeFi protocols are more likely to be hacked.

Malicious Chrome and Firefox add-ons have targeted wallets like , Phantom, and Coinbase Wallet in the past. They usually try to steal viewd phrases or redirect transactions.

According to Socket’s study, this most recent instance shows how significant it is for users to double-check the legality of extensions, read transaction instructions carefully, and stay up to date on new dangers that cybersecurity researchers are documenting.

The company also said that if more browser-based tools add direct trading features, it may be significant to keep a closer eye on extension ecosystems, such as the , to better protect cryptocurrency consumers.