A newly discovered malicious Chrome extension, Crypto Copilot, has been found to secretly inject hidden Solana transfer fees into user transactions on the Raydium decentralized exchange. This stealthy operation siphons funds directly to an attacker-controlled wallet, bypassing user awareness and potentially impacting numerous Solana users.

Key Takeaways

• A Chrome extension named Crypto Copilot has been identified as malicious.

• It injects hidden Solana transfer fees into Raydium swap transactions.

• Funds are sent to a hardcoded attacker-controlled wallet.

• The extension uses obfuscation techniques to evade detection.

• It leverages legitimate services to appear trustworthy.

The Crypto Copilot Deception

Cybersecurity researchers have uncovered a deceptive Chrome extension, Crypto Copilot, that was published on May 7, 2024. Despite its description as a tool for "trading crypto directly on X with real-time insights and seamless execution," the extension harbors a hidden agenda. It operates by injecting an additional, undisclosed Solana transfer into every swap transaction performed on Raydium, a popular decentralized exchange built on the Solana blockchain.

Stealthy Fee Collection Mechanism

The malicious functionality is embedded within obfuscated code that activates during a Raydium swap. The extension manipulates the transaction by appending a hidden method. This allows it to send a portion of the user's funds to a wallet hardcoded within the extension's code. The fee structure is calculated dynamically, with a minimum charge of 0.0013 SOL for trades. For trades exceeding 2.6 SOL, the fee increases to 2.6 SOL plus 0.05% of the swap amount. To further evade detection, the extension employs techniques such as code minification and variable renaming.

Evading Detection and Maintaining Legitimacy

Crypto Copilot goes to great lengths to appear legitimate and avoid scrutiny. It communicates with a backend hosted on to register wallets, fetch data, and report user activity. Notably, the associated domains, including , do not host any actual product, serving solely as a front. The extension also integrates with legitimate services like DexScreener and Helius RPC, lending it a veneer of trustworthiness. Researchers emphasize that users are unlikely to notice the hidden fees unless they meticulously inspect every instruction before signing a transaction, as the user interface only displays the details of the intended swap.

Sources

• Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps, The Hacker News.