Malicious Chrome Plugin Skims SOL Without Draining Wallets

A malicious Google Chrome browser extension is letting users trade on Solana, while quietly skimming a fee from every swap into the creator’s wallet.

According to a Tuesday report by cybersecurity company Socket, the Google Chrome extension allows users to trade on Solana (SOL) from their X social media feed. Unlike typical wallet-draining malware that tries to steal the entire balance, Crypto Copilot “injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade,” Socket found.

On the back end, Crypto Copilot uses the decentralized exchange Raydium to perform swaps for the user, but appends a second instruction that transfers SOL from the user to the attacker. The user interface only shows the swap details while wallet confirmation screens “summarize the transaction without surfacing individual instructions.”

“Users sign what appears to be a single swap, but both instructions execute atomically on-chain,“ Socket said.

Featured image of the Google Chrome extension. Source: Chrome Web Store

A long-lived operation

Socket noted that it submitted a takedown request for the extension to the Chrome Web Store security team. The malicious extension is relatively long-lived, having been published on June 18, 2024, but the store reports that it only has 15 users at the time of writing.

Crypto Copilot markets itself as a convenience tool allowing Solana traders to execute swaps directly from Twitter. It promises “allowing you to act on trading opportunities instantly without the need for switching between apps or platforms.”

The latest of many malicious Google Chrome extensions

Google Chrome’s massive user base and extensible design have long made its extension ecosystem a target for crypto-focused scams. Earlier this month, Socket warned that the fourth-most-popular crypto wallet extension in the Chrome Web Store was draining user funds. In late August, decentralized exchange aggregator Jupiter said it had identified another malicious Chrome extension that was emptying Solana wallets.

In June 2024, a Chinese trader reportedly lost $1 million after installing a Chrome plugin called Aggr. That extension stole browser cookies to hijack accounts, including access to the trader’s Binance account.

Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack

What's Hot

Polymarket Wins Amended Order of Designation from CFTC

Cocoon Decentralized AI Network Launches on the Open Network (TON)

DOT Tests Multi-Month Lows as Polkadot Struggles Below All Major Moving Averages

Malicious Chrome Plugin Skims SOL Without Draining Wallets

Tether CEO Rails Against S&P, Says Influencers Targeting Tether With FUD

Composite of ETH Valuation Models Places ETH Fair Value at $4,839: Analyst

Ethereum Leverage Reset Complete, Time For Market Re-Accumulation?

What's Hot

Polymarket Wins Amended Order of Designation from CFTC

Cocoon Decentralized AI Network Launches on the Open Network (TON)

DOT Tests Multi-Month Lows as Polkadot Struggles Below All Major Moving Averages

Malicious Chrome Plugin Skims SOL Without Draining Wallets

A long-lived operation

The latest of many malicious Google Chrome extensions

Related Posts

Tether CEO Rails Against S&P, Says Influencers Targeting Tether With FUD

Composite of ETH Valuation Models Places ETH Fair Value at $4,839: Analyst

Ethereum Leverage Reset Complete, Time For Market Re-Accumulation?