Chrome Extension ‘Crypto Copilot’ Found Injecting Hidden SOL Fees Into Raydium Swaps

A harmful Chrome extension called Crypto Copilot has been caught secretly adding extra fees during Raydium swaps. Security researchers found that it quietly inserted hidden Solana transfers inside every transaction. Users thought they were only confirming a normal Raydium swap, but another instruction was added in the background. This caused small amounts of SOL to be sent directly to an attacker’s wallet.

The extension looked like a helpful trading tool and claimed to offer smooth and fast swaps. But its code was secretly modifying transactions without alerting users. It inserted a SystemProgram.transfer instruction into the same signed transaction. As a result, users unknowingly signed one transaction that performed two different actions.

The stolen fee followed a fixed pattern designed by the attacker. A minimum of 0.0013 SOL was taken from every swap. For bigger trades, the extension applied a 0.05% hidden charge on the total swap amount. This fee became larger than the minimum once the swap value crossed around 2.6 SOL.

The malicious activity was discovered through deep analysis by the Socket security research team. Their investigation explained exactly how the hidden instruction was being added to the swap. They also identified the attacker’s wallet and shared technical indicators related to the threat. Their report became the foundation for public warnings about this scam.

One major reason this trick worked is how crypto wallets display information. Most wallet interfaces show only basic summaries like “Swap Token A to Token B.” They do not show all the underlying instructions unless users manually inspect the full details. This allowed the secret SOL transfer to stay completely hidden for many people.

Another concerning point is that the extension was still available on the Chrome Web Store when the findings were made public. It had passed the Web Store’s security checks even though it was performing malicious actions. To appear trustworthy, the extension used well-known services such as market trackers and reliable RPC providers. This made it look safe to unsuspecting users.

People who installed Crypto Copilot are strongly advised to uninstall it immediately. They should also check their recent Solana transactions on trusted explorers to look for unknown transfers. Any unexpected movement of SOL to unfamiliar wallets could mean their device was affected. It is also recommended to revoke older permissions and refresh security settings.

This incident reminds everyone to be extremely cautious when using crypto-related browser extensions. Only trusted, verified, and officially supported tools should be used for trading. For higher-value transactions, hardware wallets provide a much safer experience. Staying alert and checking every transaction carefully can prevent hidden scams like this from causing financial losses.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news