Hi, user_no_name

Trade now

Deposit

Logout
Login Sign Up
EN

Language

English English (Global)

English English (EU)

English English (UK)

English English (AU)

English English (ZA)

English English (St. Vincent)

Deutsch German

Español Spanish (Latam)

Español Spanish (Spain)

Français French

Dansk Danish

Italiano Italian

Nederlands Dutch

العربية Arabic

Svenka Swedish

Tiếng việt Vietnamese

Bahasa Melayu Malay

ภาษาไทย Thai

繁體中文 Traditional Chinese

简体中文 Simplified Chinese

Tagalog Tagalog

தமிழ் Tamil

हिन्दी Hindi

Português Portuguese

Bahasa Indonesia Indonesian

한국어 Korean

English English (BVI)
Markets

Products

Forex

Shares

Commodities

Indices

Crypto

ETFs

Bonds
Trading

Trading Platforms

Web Platform

App

MT4

MT5

Trading Central

Trading Tools

CFD Trading Calculator

Forex Margin Calculator

Commodities Profit Calculator

Forex Profit Calculator

Economic Calendar

Quotes

Forex Heatmap

Trading Info

CFD Trading

CFD Asset List

Trading Conditions

Trading Hours

Expiration Dates

Upcoming Trading Holidays

Weekly Expiration Rollover

Trading Features

Depth of Market
Learn

Learn to Trade

Glossary

Education Centre

Trading Basics

Video library

News & Analysis

news

Academy

Trader's clinic

Webinars

US Nonfarm Payrolls
Promo

Reward Hub

marketsClub

Welcome Bonus

Loyal Bonus

Referral Bonus

Swap-free Accounts
Partnership

Affiliation

IB
About

About Markets.com

Why markets.com

Global Offering

Our Group

Careers

Awards and Media

Help Support

FAQ

Help Centre

Contact Support

Complaints

Data & Security

Safety Online

Cookie Disclosure

Legal Pack

Legal Documents

Language

Malicious Chrome Extension Skims Fees from Solana Trades

Thursday Nov 27 2025 14:10

2 min

Table of Contents

1. Malicious Chrome Extension Skims Fees from Solana Trades
1.1 A Long-Lived Operation
1.2 The Latest in a String of Malicious Chrome Extensions

Malicious Chrome Extension Skims Fees from Solana Trades

A deceptive Google Chrome extension has been discovered exploiting Solana (SOL) traders. According to a recent report by cybersecurity firm Socket, this extension, posing as a convenience tool, quietly skims a portion of each Solana swap and redirects it to the creator's wallet. This contrasts with typical wallet-draining malware which aims to steal the entire balance. Unlike conventional wallet drainers, Crypto Copilot discreetly "injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade," Socket's investigation revealed. This subtle approach makes it harder for users to detect the malicious activity. On the backend, Crypto Copilot leverages the decentralized exchange Raydium to execute swaps. However, it appends a second instruction to the transaction that transfers SOL from the user to the attacker. The user interface displays the swap details, but the wallet confirmation screens "summarize the transaction without surfacing individual instructions," effectively concealing the illicit transfer. "Users sign what appears to be a single swap, but both instructions execute atomically on-chain," Socket explained, highlighting the insidious nature of the attack.

A Long-Lived Operation

Socket has reported the malicious extension to the Chrome Web Store security team, requesting its removal. Despite being published on June 18, 2024, the extension, dubbed Crypto Copilot, surprisingly claims to have only 15 users at the time of this report. Crypto Copilot is marketed as a tool allowing Solana traders to execute swaps directly from their X (formerly Twitter) feeds. It lures users by promising "allowing you to act on trading opportunities instantly without the need for switching between apps or platforms."

The Latest in a String of Malicious Chrome Extensions

Google Chrome's massive user base and flexible extension system have made its extension ecosystem a prime target for cryptocurrency-related scams. Earlier this month, Socket warned that the fourth-most-popular crypto wallet extension in the Chrome Web Store was actively draining user funds. In late August, decentralized exchange aggregator Jupiter reported discovering another malicious Chrome extension emptying Solana wallets. In June 2024, a Chinese trader reportedly lost $1 million after installing a Chrome plugin called Aggr. That extension stole browser cookies to hijack accounts, including access to the trader's Binance account. This underscores the ever-present need for vigilance when installing browser extensions, especially those related to cryptocurrency.

Risk Warning: this article represents only the author’s views and is for reference only. It does not constitute investment advice or financial guidance, nor does it represent the stance of the Markets.com platform.When considering shares, indices, forex (foreign exchange) and commodities for trading and price predictions, remember that trading CFDs involves a significant degree of risk and could result in capital loss.Past performance is not indicative of any future results. This information is provided for informative purposes only and should not be construed to be investment advice. Trading cryptocurrency CFDs and spread bets is restricted for all UK retail clients. 

Written by:

Noah Lee

Malicious Chrome Extension Skims Fees from Solana Trades

Malicious Chrome Extension Skims Fees from Solana Trades

A Long-Lived Operation

The Latest in a String of Malicious Chrome Extensions

Latest news

Cookies

Strictly Necessary

Functionality Cookies

Targeting Cookies