Solana Users Face Hidden SOL Fees from Malicious Chrome Extension
The post Solana Users Face Hidden SOL Fees from Malicious Chrome Extension appeared on BitcoinEthereumNews.com.
Crypto Copilot malware has been secretly draining SOL from users’ wallets since June 2025 by injecting hidden transfer instructions into Raydium swaps. Cybersecurity firm Socket uncovered this threat, revealing how the Chrome extension extracts at least 0.0013 SOL or 0.05% per trade without user knowledge. Immediate removal and transaction vigilance are essential to protect Solana assets. Cybersecurity researchers at Socket identified the malicious extension during routine Chrome Web Store monitoring. The extension appends undisclosed SOL transfers to every swap, scaling fees based on trade size for maximum extraction. Over 0.0013 SOL minimum or 0.05% of larger trades have been siphoned, with total funds to date remaining modest due to limited adoption. What is the Crypto Copilot Malware? The Crypto Copilot malware is a deceptive Chrome browser extension posing as a Solana trading assistant that has been active since June 2025. It injects hidden transaction instructions into Raydium swaps, silently transferring SOL to an attacker-controlled wallet. Users remain unaware as the interface masks the extra fee, emphasizing the need for caution with third-party trading tools. How Does Solana Hidden Fees Work in This Extension? Solana hidden fees in the Crypto Copilot extension operate through obfuscated code that appends a secondary transfer to legitimate swap instructions on Raydium, a leading Solana decentralized exchange. For trades under 2.6 SOL, a flat 0.0013 SOL fee applies; larger swaps incur 0.05% of the amount, potentially costing $10 on a 100 SOL trade at current prices. Security engineer Kush Pandya from Socket explained, “Aggressive code obfuscation and hardcoded attacker addresses were key red flags our AI scanner detected, leading to confirmation of the fee mechanism.” This structure evades user detection, as wallet pop-ups show only the primary swap details, while both instructions execute on-chain simultaneously. The report highlights that such browser extensions combining social features with…
Filed under: News - @ November 27, 2025 11:18 pm