Malicious Chrome Extension Secretly Steals From Solana Traders

The stolen funds go to a specific wallet address: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7. According to blockchain records, the attacker has only collected a small amount so far because the extension hasnt attracted many users.

Advanced Hiding Techniques

What makes this scam particularly dangerous is how well it hides the theft. The extension uses Raydium, a legitimate Solana trading platform, to process the actual trades. This makes everything look normal to users.

The malicious code is hidden using advanced techniques like minification and variable renaming, making it nearly impossible for regular users to detect. When users approve a transaction, their wallet shows what appears to be a single trade. In reality, two transactions happen at the same time – the legitimate trade and the hidden theft.

Most Solana wallets show simplified transaction summaries instead of detailed breakdowns. This design choice, meant to make wallets easier to use, actually helps hide the scam from users.

The extension also connects to fake websites designed to look legitimate. The backend domain “crypto-coplilot-dashboard.vercel.app” loads only a blank page, and the main website “cryptocopilot.app” is parked by GoDaddy. These red flags should warn users that something isnt right.

Part of a Growing Problem

Crypto Copilot isnt the first malicious Chrome extension targeting cryptocurrency users. In August 2024, Jupiter, a major Solana trading platform, warned users about a dangerous extension called “Bull Checker” that was completely draining wallets rather than skimming small amounts. Separately, security researchers have found other fake wallets ranking high in Chrome Web Store search results.

In June 2024, a Chinese trader lost $1 million after installing a Chrome extension called “Aggr.” That extension stole browser cookies and hijacked accounts on centralized exchanges like Binance.

Recent research found 186 malicious cryptocurrency extensions out of 3,599 analyzed over 18 months. These fake tools have stolen over $1 million worth of cryptocurrency from unsuspecting users.

The problem is getting worse as more people use browser extensions for cryptocurrency trading. Chromes massive user base and flexible permission system make it an attractive target for scammers.

Why Solana Users Are Vulnerable

Solanas technical design makes it easier for scammers to hide malicious transactions. The network allows multiple actions to happen in a single transaction, which attackers use to bundle legitimate trades with hidden thefts.

Many Solana users also trade meme coins and other fast-moving tokens, making them more likely to use tools that promise quick, convenient trading. This urgency can lead people to install extensions without carefully checking their legitimacy.

The extension specifically targets users following token discussions on Twitter, where crypto trading happens at a rapid pace. The promise of “one-click trading” appeals to traders who dont want to miss opportunities while switching between different platforms.

How to Stay Safe

Security experts recommend several steps to protect against malicious extensions:

First, always review transaction details before approving them. Look for unexpected transfers or instructions that don‘t match what you intended to do. On Solana, check for any SystemProgram.transfer instructions you didn’t expect.

Second, only install extensions from verified developers with good reputations. Avoid downloading extensions that request excessive permissions, especially the ability to read and modify all website data.

Third, if youve already installed Crypto Copilot, move your cryptocurrency to a new, clean wallet immediately. Also revoke all website connections for your old wallet to prevent further unauthorized access.

The extension was published by a user named “sjclark76” and currently has only 15-18 users with a one-star rating on the Chrome Web Store. Socket submitted a takedown request to Google, but the extension remained available as of late November 2024.

Users should also be skeptical of extensions that promise unrealistic convenience or profits. Legitimate trading tools typically require users to visit actual trading platforms rather than offering shortcuts through browser extensions.

The Bottom Line

The Crypto Copilot scam shows how cryptocurrency thieves are becoming more sophisticated. Instead of trying to steal entire wallets at once, theyre now using subtle, long-term strategies that are harder to detect.

This approach is particularly dangerous because victims might not notice small amounts being stolen over time. For active traders, these tiny thefts can add up to significant losses over weeks or months.