Malicious Chrome Extension Crypto Copilot Siphons SOL from Users

Socket’s Threat Research Team discovered a malicious Chrome extension, Crypto Copilot, which steals SOL from users during Solana swaps. The extension, marketed as a tool for instant trades from social media feeds, injects an extra transfer into every swap, sending a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The fee behavior is hidden within obfuscated code and not disclosed on the Chrome Web Store listing. The extension communicates with a suspicious backend, and the main domain is parked, indicating a lack of legitimate infrastructure. Users are advised to review transaction instructions carefully and avoid closed-source trading extensions.