A malicious Google Chrome extension called Crypto Copilot has been discovered skimming fees from Solana (SOL) trades while posing as a convenient trading tool, cybersecurity firm Socket reported on Tuesday.

Unlike traditional malware that drains entire wallets, Crypto Copilot subtly siphons a minimum of 0.0013 SOL or 0.05% per swap into the attacker’s wallet. Users believe they are executing normal Solana swaps via the decentralized exchange Raydium, but the extension secretly injects an additional instruction that transfers SOL to the creator. The transaction appears as a single swap on the user interface, with wallet confirmations masking the extra transfer, allowing both actions to execute atomically on-chain.

Published on June 18, 2024, the extension has remained active for over a year but currently only reports 15 users. Crypto Copilot markets itself as a tool that lets Solana traders swap directly from X social media feeds, claiming to simplify trading by removing the need to switch between apps.

Crypto Copilot is part of a growing trend of malicious Chrome extensions targeting crypto users. Earlier in 2024, Socket flagged another popular wallet extension that drained funds, while decentralized exchange aggregator Jupiter reported a malicious plugin stealing Solana tokens in August. In June 2024, a Chrome extension called Aggr reportedly caused a Chinese trader to lose $1 million by hijacking browser cookies and cryptocurrency accounts, including Binance access.

Socket has submitted a takedown request to the Chrome Web Store, highlighting ongoing risks within Chrome’s extensible ecosystem. Users are advised to exercise caution when installing browser extensions, particularly those claiming to facilitate crypto trading.

This incident underscores the persistent vulnerabilities in browser-based crypto tools and the need for vigilance against deceptive extensions that quietly exploit user transactions.