Chrome Extension Caught Skimming Solana Trades – Users Unknowingly Paying Hacker Fee

28-Nov-2025 Coindoo
Key Takeaways
  • A malicious Chrome extension added hidden fees to every Solana swap and routed them to an attacker.
  • The plug-in has been live since June and marketed itself as a trading shortcut for X users.
  • Chrome extensions remain a high-risk environment for crypto transactions due to broad permissions and limited visibility into instructions users sign. 

Cybersecurity firm Socket uncovered the scheme and reported that the extension — titled Crypto Copilot — inserts a hidden fee into each swap. Instead of draining entire wallets in a single hit (the hallmark of most Solana-focused malware), the attacker opted for a slower and less noticeable method: taking a small cut from every trade.

How the theft is carried out

Socket’s review of the code revealed that Crypto Copilot routes swaps through Raydium, a popular Solana DEX. But before users approve the transaction, the extension adds an extra instruction that funnels part of the trade — a minimum of 0.0013 SOL or roughly 0.05% of the swap value — to the attacker.

The extension relies on the fact that most users only review the high-level summary shown in the wallet approval window. Because both transfers execute in the same transaction, there is no visible indication that a second transfer is taking place.

Installed since June — barely noticed until now

Crypto Copilot has been available on the Chrome Web Store since June 18, 2024. According to the storefront listing, it has 15 active users, though the exact number affected by unauthorized transfers is unclear.

READ MORE:

Bitcoin Options Market Braces for a Major Reset as Traders Split on Direction

The extension marketed itself as a productivity upgrade — enabling Solana swaps without leaving the X interface — which likely helped it avoid early suspicion. Socket says it has already requested that Google remove the listing, but the plug-in remained accessible at the time of reporting.

Growing pattern of Chrome-based wallet theft

This is not an isolated case. Malicious Chrome extensions have become one of the most effective attack vectors targeting crypto users:

  • Earlier this month, Socket flagged another highly downloaded wallet extension that was draining funds.
  • In August, the Jupiter team warned Solana users about a Chrome plug-in that emptied wallets.
  • In June 2024, a Chinese trader reported losing $1 million after installing a malicious extension that harvested browser cookies and gained access to his Binance account.

Security researchers caution that Chrome extensions have become a preferred target because users often accept permission prompts without understanding the access being granted.

The information provided in this article is for educational purposes only and does not constitute financial, investment, or trading advice. Coindoo.com does not endorse or recommend any specific investment strategy or cryptocurrency. Always conduct your own research and consult with a licensed financial advisor before making any investment decisions.

The post Chrome Extension Caught Skimming Solana Trades – Users Unknowingly Paying Hacker Fee appeared first on Coindoo.

Also read: Dogwifhat Price Prediction 2025: Holds $0.38 as Traders Await Breakout From Tight Range
Next
Author's Name
telegram Telegram Twitter Twitter Linkedin Linkedin Instagram Instagram
About Author Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc fermentum lectus eget interdum varius. Curabitur ut nibh vel velit cursus molestie. Cras sed sagittis erat. Nullam id ante hendrerit, lobortis justo ac, fermentum neque. Mauris egestas maximus tortor. Nunc non neque a quam sollicitudin facilisis. Maecenas posuere turpis arcu, vel tempor ipsum tincidunt ut.
Read More Articles by Author
WHAT'S YOUR OPINION?
Related News