New 'Crypto Copilot' Chrome Extension Found Draining Solana Wallets

A sophisticated new threat targeting the Solana ecosystem has been identified, with the "Crypto Copilot" Chrome extension secretly siphoning funds from unsuspecting traders under the guise of a helpful tool.

The Anatomy of the Scam

Security researchers have issued a critical warning regarding a malicious Google Chrome extension named "Crypto Copilot." Active since June 18, 2024, this software masquerades as a convenient trading utility designed to facilitate instant Solana token swaps directly from Twitter (X) feeds. However, beneath its user-friendly interface lies a mechanism designed to steal user funds during every transaction.

According to findings published by security firm Socket, the extension employs a subtle yet effective method to drain wallets. Rather than emptying a wallet entirely in one go—which often triggers immediate alarm—the extension modifies the transaction structure. It utilizes Raydium, a legitimate decentralized exchange, to execute the user's intended trade but bundles a malicious instruction within the same payload.

Stealth Tactics and Technical Execution

What makes "Crypto Copilot" particularly dangerous is its ability to evade detection by average users. The developers behind the malware have utilized advanced obfuscation techniques, including code minification and variable renaming, to hide the malicious logic from casual inspection. Furthermore, the extension exploits the technical architecture of the Solana network, which allows multiple instructions to be packaged into a single transaction atomic unit.

Most Solana wallets show simplified transaction summaries instead of detailed breakdowns. This design choice, meant to make wallets easier to use, actually helps hide the scam from users.

When a user approves what they believe is a simple token swap, the wallet interface typically displays a summary that masks the secondary transfer instruction. This "hidden fee" approach allows the attackers to accumulate funds over time without alerting the victim immediately, a strategy distinct from the aggressive wallet drainers seen in previous attacks.

Malicious extensions often disguise themselves as helpful trading tools to exploit UI limitations in crypto wallets.

Get Solana News on Your Phone!

Stay updated with real-time Solana news, price alerts, and ecosystem developments.

Download Free

A Growing Trend of Browser-Based Threats

This incident is part of a disturbing rise in malicious browser extensions targeting the cryptocurrency sector. The "Crypto Copilot" malware shares similarities with other high-profile scams, such as the "Aggr" extension which caused a $1 million loss for a Chinese trader in June 2024, and the "Bull Checker" extension previously flagged by the Jupiter exchange team.

The extension creates a false sense of legitimacy by connecting to web domains that appear professional but are technically hollow. Domains such as "crypto-coplilot-dashboard.vercel.app" and "cryptocopilot.app" have been linked to the scam, serving as red flags for those who investigate the tool's background.

Protective Measures for Traders

To safeguard against such threats, experts recommend a rigorous approach to browser security:

1. Audit Your Extensions

Immediately check your browser for "Crypto Copilot" or any unverified trading tools. If installed, remove them instantly and assume your connected wallet is compromised. Revoke all permissions and move remaining assets to a fresh wallet.

2. Verify Transaction Simulations

While wallet UIs can be simplified, users should strive to view the detailed simulation of any transaction. Look for unexpected `SystemProgram.transfer` instructions that do not align with the intended swap.

3. Stick to Trusted Sources

Avoid installing extensions promoted by anonymous accounts on social media or those with low user counts and poor ratings. "Crypto Copilot" was published by a user named "sjclark76" and had minimal genuine feedback, a common trait of malware.