Crypto Copilot malware has been secretly draining SOL from users’ wallets since June 2025 by injecting hidden transfer instructions into Raydium swaps. Cybersecurity firm Socket uncovered this threat, revealing how the Chrome extension extracts at least 0.0013 SOL or 0.05% per trade without user knowledge. Immediate removal and transaction vigilance are essential to protect Solana assets.
- Cybersecurity researchers at Socket identified the malicious extension during routine Chrome Web Store monitoring.
- The extension appends undisclosed SOL transfers to every swap, scaling fees based on trade size for maximum extraction.
- Over 0.0013 SOL minimum or 0.05% of larger trades have been siphoned, with total funds to date remaining modest due to limited adoption.
What is the Crypto Copilot Malware?
The Crypto Copilot malware is a deceptive Chrome browser extension posing as a Solana trading assistant that has been active since June 2025. It injects hidden transaction instructions into Raydium swaps, silently transferring SOL to an attacker-controlled wallet. Users remain unaware as the interface masks the extra fee, emphasizing the need for caution with third-party trading tools.
How Does Solana Hidden Fees Work in This Extension?
Solana hidden fees in the Crypto Copilot extension operate through obfuscated code that appends a secondary transfer to legitimate swap instructions on Raydium, a leading Solana decentralized exchange. For trades under 2.6 SOL, a flat 0.0013 SOL fee applies; larger swaps incur 0.05% of the amount, potentially costing $10 on a 100 SOL trade at current prices. Security engineer Kush Pandya from Socket explained, “Aggressive code obfuscation and hardcoded attacker addresses were key red flags our AI scanner detected, leading to confirmation of the fee mechanism.” This structure evades user detection, as wallet pop-ups show only the primary swap details, while both instructions execute on-chain simultaneously. The report highlights that such browser extensions combining social features with signing permissions amplify risks, with the extension’s domain parked and backend showing suspicious placeholders.
Frequently Asked Questions
How Can I Tell If I’ve Installed the Crypto Copilot Extension?
Check your Chrome extensions list for “Crypto Copilot” and verify its ID against known malicious reports from Socket’s analysis. If installed since June 2025 and used for Raydium swaps, review your Solana wallet transaction history for unexplained small SOL outflows to unfamiliar addresses. Uninstall immediately and scan your device to prevent further exposure.
What Should Solana Users Do to Avoid Hidden Swap Fees?
To dodge hidden swap fees on Solana, always inspect transaction details before signing, especially with browser extensions. Stick to verified, open-source tools and avoid those requesting broad wallet permissions. If compromised, transfer assets to a new wallet and enable multi-factor authentication for enhanced security against evolving malware threats.
Key Takeaways
- Malicious Extensions Pose Real Risks: Crypto Copilot demonstrates how seemingly helpful tools can embed hidden SOL transfers, underscoring the dangers of unvetted browser add-ons in crypto trading.
- Early Detection Saved Potential Losses: Socket’s AI monitoring flagged obfuscated code and discrepancies, limiting the attacker’s haul to small amounts despite months of operation.
- Proactive Steps for Users: Regularly audit extensions, review on-chain transactions, and migrate to secure wallets to mitigate similar Solana threats moving forward.
Conclusion
The discovery of the Crypto Copilot malware highlights ongoing vulnerabilities in Solana trading tools, where hidden fees can erode user funds without detection. As cybersecurity firms like Socket continue to expose such threats through diligent monitoring, crypto enthusiasts must prioritize transaction verification and tool vetting. Stay informed and adopt secure practices to navigate the evolving landscape of digital asset security with confidence.
Word count: 728
