Solana Traders Warned as ‘Crypto Copilot’ Chrome Tool Hijacks Transactions

Cybersecurity researchers have revealed that the Chrome extension ‘Crypto Copilot’ secretly diverts a portion of every Solana swap to an attacker-controlled wallet, exposing major security risks in browser-based crypto tools.

Published by Ecem EFE

28 November 2025, 14:02 published Updated 28 November 2025, 14:02

Stealthy Solana Scam: Crypto Copilot Sends 0.05% of Every Swap to Attacker Wallet

Solana Traders Warned as ‘Crypto Copilot’ Chrome Tool Hijacks Transactions – A Chrome browser extension marketed as a fast and convenient Solana trading tool has been exposed for quietly siphoning user funds during swaps—underscoring serious vulnerabilities in browser-based crypto tools, according to new findings from Socket’s Threat Research Team.

Hidden Transfers Embedded in Every Swap

The extension, known as Crypto Copilot, allows users to trade SOL directly from X (formerly Twitter). However, Socket reports that each transaction processed through the tool contains a concealed transfer instruction that redirects 0.05% of the swap value—at least 0.0013 SOL—to an attacker-controlled wallet.

While users see only the primary swap request on the confirmation screen, the additional transfer is never disclosed, enabling the extension to covertly drain funds over time.

Published on Chrome Web Store Despite Malicious Behavior

Released on the Chrome Web Store in mid-2024, Crypto Copilot promotes itself as an instant trading assistant. Behind the scenes, the extension uses code minification, variable renaming, and other obfuscation techniques to hide its malicious functions, Socket said.

The software communicates with a backend server hosted at crypto-coplilot-dashboard.vercel.app, which logs wallet connections, tracks user behavior, and records referral activity. Another associated domain, cryptocopilot.app, remains inactive—an inconsistency that Socket notes is unusual for legitimate trading services.

Raydium Used to Mask On-Chain Diversions

Crypto Copilot routes swaps through Raydium, a major Solana automated market maker. It then attaches a hidden SystemProgram.transfer instruction to each trade, enabling an atomic on-chain diversion of funds while users believe they are approving a single, harmless transaction.

Rising Concerns Over Browser-Based Crypto Security

Although installation numbers appear low, Socket warns that frequent traders face the greatest risk, as incremental thefts may go unnoticed. The incident adds to a growing list of malicious Chrome and Firefox extensions that have targeted major crypto wallets like MetaMask, Phantom, and Coinbase.

Socket’s analysis highlights the need for greater oversight of Chrome’s extension ecosystem and reinforces the importance of carefully reviewing transaction details before approval. The firm advises Solana users to verify extension legitimacy, inspect on-chain instructions, and monitor updates from cybersecurity researchers.