Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that's capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet.
The extension, named Crypto Copilot, was first published by a user named "sjclark76" on May 7, 2024. The developer describes the browser add-on as offering the ability to "trade crypto directly on X with real-time insights and seamless execution." The extension has 12 installs and remains available for download as of writing.
"Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet," Socket security researcher Kush Pandya said in a Tuesday report.
Specifically, the extension incorporates obfuscated code that comes to life when a user performs a Raydium swap, manipulating it to inject an undisclosed SOL transfer into the same signed transaction. Raydium is a decentralized exchange (DEX) and automated market maker (AMM) built on the Solana blockchain.
It works by appending a hidden SystemProgram.transfer util method to each swap before the user's signature is requested, and sends the fee to a hard-coded wallet embedded in the code. The fee is calculated based on the amount traded, charging a minimum of 0.0013 SOL for trades and 2.6 SOL and 0.05% of the swap amount if it's more than 2.6 SOL. To avoid detection, the malicious behavior is concealed using techniques like minification and variable renaming.
The extension also communicates with a backend hosted on the domain "crypto-coplilot-dashboard.vercel[.]app" to register connected wallets, fetch points and referral data, and report user activity. The domain, along with "cryptocopilot[.]app," does not host any real product.
What's notable about the attack is that users are completely kept in the dark about the hidden platform fee, and the user interface only shows details of the swap. Furthermore, Crypto Copilot makes use of legitimate services like DexScreener and Helius RPC to lend it a veneer of trust.
"Because this transfer is added silently and sent to a personal wallet rather than a protocol treasury, most users will never notice it unless they inspect each instruction before signing," Pandya said. "The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background."
