The post Chrome Extension Exposed for Injecting Hidden SOL Fees appeared on BitcoinEthereumNews.com.

The Hack: A Chrome extension named “Crypto Copilot” secretly adds a fee transfer to user swaps. The Trick: It hides a SystemProgram.transfer instruction inside legitimate Raydium transactions. The Fix: Users must verify individual transaction instructions in their wallet preview before signing. A malicious browser extension masquerading as a Solana trading tool has been caught siphoning funds from users by silently modifying transaction payloads. Security researchers identified the harmful Chrome extension to secretly steal small amounts of SOL from Solana users during swaps. The extension, named Crypto Copilot, looks like a normal trading tool but quietly adds an extra transfer to every trade. How the Fake Extension Works Socket’s Threat Research Team found that Crypto Copilot has been available on the Chrome Web Store since June 2024. It advertises itself as a tool that lets people trade Solana tokens directly from their X feed. The extension shows token prices, connects to popular wallets, and looks completely safe on the surface. However, when a user performs a swap, the extension builds the normal Raydium swap instruction and then secretly adds a second instruction. The extra instruction sends SOL to an attacker controlled wallet without telling the user. The minimum amount taken is 0.0013 SOL, or 0.05 percent of the swap size if the trade is large enough. Wallets usually show only the main summary of a transaction. Most users will not expand the full instruction list, so they will not notice that two separate actions are being signed at once. Looks legit on the outside; suspicious inside Crypto Copilot tries hard to appear like a real and helpful product. It detects token names on X, shows DexScreener data, and supports well known wallets such as Phantom and Solflare. It also asks only for common wallet permissions. But the backend reveals the truth.…

---

Filed under: News - @ November 28, 2025 9:25 am