'Crypto Copilot' Extension Sends SOL to Hacker: Details
Analysis
Price Impact
MedA malicious chrome extension is siphoning sol from users, raising security concerns within the solana ecosystem. while not a protocol-level exploit, it erodes user trust in third-party tools and could make users wary of interacting with solana dapps, impacting demand.
Trustworthiness
HighThe report provides detailed technical insights into how the extension operates, including hidden transaction instructions and obfuscated code, indicating a thorough investigation into the vulnerability.
Price Direction
BearishThe discovery of an active exploit stealing user funds via a deceptive extension creates negative sentiment, potentially leading to a decrease in user confidence and demand for sol as security concerns rise.
Time Effect
ShortThe immediate impact could be a slight dip due to fud (fear, uncertainty, doubt) and increased caution among users. however, unless it signals a broader systemic vulnerability, the market may recover relatively quickly as the issue primarily affects users who install the specific malicious extension.
Original Article:
Article Content:
Cover image via U.Today Read U.TODAY on Google News According to a recent report , the “Crypto Copilot” Chrome extension is siphoning SOL from anyone who installs it. Advertisement The extension pretends to be a trading helper for Solana users, letting you execute swaps directly from X (Twitter) posts. On the surface, it looks totally normal: it connects to standard wallets, shows DexScreener price data, and routes swaps through Raydium, Solana’s biggest AMM. HOT Stories BREAKING: Grayscale Files for Very First Zcash (ZEC) ETF Morning Crypto Report: XRP May Gain $30 Billion in Next 30 Days: Bollinger Bands, Shiba Inu (SHIB) Recovers as $5 Billion Meme Coin, $100,000 BTC Back on Radar Fidelity: Bitcoin Collapsing Is Probably 'Good Thing' Crypto Market Prediction: XRP Rockets 13% on Heavy Multimillion Flow, Ethereum (ETH) Hit With Mini-Death Cross, Shiba Inu (SHIB) Adds Trillion, What Does It All Mean? But underneath that UI, it secretly injects an extra instruction into every transaction you sign. Advertisement How it works The extension quietly attaches a second instruction behind the scenes: a tiny, hidden SOL transfer to the attacker’s personal wallet. You never see it in the UI. Wallets like Phantom only show a summary unless you manually expand the instruction list. So most users never notice an outbound transfer buried inside the same transaction. The fee-extraction code itself is simple: it calculates either a tiny fixed fee or a tiny percentage of the trade, converts it to lamports, and then quietly adds a second instruction to the transaction that sends that amount to the attacker’s wallet. What makes it dangerous is that this logic is buried inside heavily obfuscated JavaScript. On the surface, the UI looks completely legitimate, showing only the expected Raydium swap. The extension also connects to a backend domain with a typo, which records wallet IDs, tracks activity, and pretends to provide “points” and referrals even though the actual website is empty and non-functional. On-chain, the theft looks like tiny, ordinary SOL transfers sitting next to legitimate swaps. Hence, unless someone inspects instructions carefully or knows the attacker’s address, it blends in.. The fee is intentionally small enough to be ignored in the moment. #Solana News