Socket’s Threat Research Team discovered a malicious Chrome extension named Crypto Copilot that injects a hidden SystemProgram.transfer into every Raydium swap, siphoning the greater of 0.0013 SOL or 0.05% of the trade to a hardcoded attacker wallet. The extension’s behavior is obfuscated in the bundle, undisclosed in the Chrome Web Store listing, communicates with typo/parked backend domains, and remains available while a takedown request is pending. #CryptoCopilot #Solana
Keypoints
- Socket’s Threat Research Team identified Crypto Copilot, a Chrome extension published on June 18, 2024, that integrates with Phantom, Solflare, and other Solana wallets to execute swaps from social feeds.
- The extension builds a legitimate Raydium swap instruction then appends a hidden SystemProgram.transfer that sends the greater of 0.0013 SOL or 0.05% of the swap to a hardcoded attacker wallet (Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7).
- The fee extraction is not disclosed in the Chrome Web Store listing and the malicious logic is buried in aggressively minified/obfuscated code, with the attacker wallet concealed under obfuscated variables.
- Crypto Copilot communicates with backend infrastructure (crypto-coplilot-dashboard[.]vercel[.]app) and ships a hardcoded Helius API key, giving the operator visibility into connected wallets and trading behavior despite the backend being blank/parked.
- Because wallet confirmation UIs often summarize transactions, users sign both instructions atomically without noticing the hidden transfer, enabling ongoing theft that scales with trade size and frequency.
- Indicators include the extension name and ID, attacker email, hardcoded Solana address, and suspicious domains; Socket submitted a takedown request and recommends inspecting individual transaction instructions and avoiding closed-source signing extensions.
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – Distribution via a malicious Chrome Web Store extension that appears as a legitimate trading tool (‘published on June 18, 2024’ / “The Chrome Web Store listing positions Crypto Copilot as a convenience tool”).
- [T1176.001 ] Browser Extensions – Abuse of browser extension permissions to connect to wallets and sign transactions directly from social feeds (‘The extension connects to Phantom, Solflare, and other standard Solana wallets’).
- [T1059.007 ] JavaScript Execution – JavaScript in the extension constructs and modifies on-chain transactions client-side, appending hidden transfer instructions (‘transaction.add(SystemProgram.transfer({…}))’).
- [T1027 ] Obfuscated Files or Information – The malicious behavior is concealed via aggressive minification and variable renaming in the bundled code (‘The bundled code uses aggressive minification and variable renaming to obscure this behavior’).
- [T1657 ] Financial Theft – Silent insertion of an extra SOL transfer to a personal wallet to siphon fees from user swaps (‘appends a second instruction that transfers SOL from the user to Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7’).
Indicators of Compromise
- [Email ] Threat actor contact – jclark76@gmail[.]com
- [Chrome Extension ] Malicious extension identity – Name: Crypto Copilot, Extension ID: iaemdpdnmdkaphnmcogmcgcmhhafcifd
- [Solana Address ] Attacker wallet receiving siphoned fees – Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7
- [Domains ] Backend and infrastructure indicators – crypto-coplilot-dashboard[.]vercel[.]app, cryptocopilot[.]app
Read more: https://socket.dev/blog/malicious-chrome-extension-injects-hidden-sol-fees-into-solana-swaps