According to recent reports, the Chrome extension ‘Crypto Copilot’ is siphoning SOL from people who install it.
This extension pretends to be a trading helper for Solana users and allows them to perform swaps directly from their X (Twitter) posts.
On the surface it looks perfectly normal. Connect to standard wallets, view DexScreener price data, and route swaps through Solana’s largest AMM, Raydium.
But underneath that UI, additional instructions are secretly inserted into every transaction you sign.
structure
This extension silently attaches a second instruction behind the scenes. It’s a small, hidden SOL transfer to the attacker’s personal wallet.
Not visible in the UI. Wallets like Phantom only show a summary unless you manually expand the list of instructions. Therefore, most users never realize that outbound transfers are embedded within the same transaction.
The fee extraction code itself is simple. It silently adds a second instruction to the transaction that calculates a small fixed fee or a small percentage of the transaction, converts it to a ramport, and sends that amount to the attacker’s wallet.
What makes this dangerous is that this logic is embedded within highly obfuscated JavaScript. On the surface, the UI looks perfectly legitimate, showing only the expected Raydium swap.
The extension also connects to typographical backend domains and pretends to record wallet IDs, track activity, and offer “points” and referrals, even though the actual website is empty and non-functional.
On-chain, this theft looks like a small regular SOL transfer next to a legitimate swap. So unless someone carefully inspects the instructions or knows the attacker’s address, it will slip in. Fees are intentionally set so small that they are negligible at this time.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
