Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps

Socket's Threat Research Team has identified a malicious Chrome extension named Crypto Copilot, marketed as a tool for executing Solana trades directly from Twitter feeds. The extension injects an additional transfer fee into every Solana swap, sending a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet, without disclosure on the Chrome Web Store listing. The fee injection is hidden within heavily obfuscated code, making it difficult for users to detect the unauthorized transfer. Crypto Copilot connects with popular Solana wallets and uses various legitimate services to create a façade of authenticity, while the backend infrastructure lacks genuine functionality, indicating a malicious intent. The extension's marketing focuses on convenience and speed, but omits mention of the hidden fees, which are rarely noticed due to their integration into normal swap transactions. The extension remains available, and Socket has requested its removal from the Chrome Web Store, advising users to review transactions carefully and avoid similar extensions.