Ddos 
A new threat is targeting the Solana ecosystem, preying on traders looking for speed and convenience on social media. Socket’s Threat Research Team has discovered a malicious Chrome extension, Crypto Copilot, published on June 18, 2024. It markets itself as a tool to “execute trades instantly from your X feed,” capitalizing on the fast-paced nature of crypto trading on the platform.
However, behind the slick interface lies a trap. While users believe they are simply swapping tokens, the extension is quietly siphoning funds directly into an attacker’s wallet.
The attack is subtle and technically sophisticated. When a user initiates a swap through the extension, the software builds the legitimate Raydium swap instruction as expected. But secretly, it adds a malicious payload to the same transaction.
“Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet.“
Because Solana transactions are atomic (meaning all instructions in a bundle succeed or fail together), the theft happens instantly alongside the trade. The extension quietly appends this second instruction transferring funds to the specific address Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg730xQff7.
The attackers have gone to great lengths to hide this activity from users. The extension’s user interface displays only the legitimate swap details, hiding the secondary transfer fee entirely.
Socket’s researchers note that “The fee behavior is never disclosed on the Chrome Web Store listing, and the logic implementing it is buried inside heavily obfuscated code“. Furthermore, because wallet confirmation screens typically summarize the transaction rather than breaking down every instruction, “Users sign what appears to be a single swap, but both instructions execute atomically on-chain“.
The investigation also revealed a backend infrastructure that raises immediate red flags. The extension exfiltrates the connected wallet’s public key to a backend hosted at crypto-coplilot-dashboard[.]vercel[.]app—notably misspelling “copilot”. Additionally, the main domain cryptocopilot[.]app appears to be a parked domain with no functional product, further confirming the illegitimate nature of the tool.
The extension also embeds a Helius RPC API key directly in the client code, exposing sensitive credentials that could be abused.
As of the report’s writing, the extension “remains available” on the Chrome Web Store. Socket has submitted a takedown request to Google.
Related Posts:
- Cybercriminals Exploit Swap Files: New E-commerce Skimming Tactic
- FCC Takes Aim at SIM Swapping Fraud, Protecting Consumers from Billions in Losses
- Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
- Cybercriminal Arrested in Connection with SEC X Account Hack That Manipulated Bitcoin Market
Donate