Хакеры под маской: новое расширение Chrome выкачивает деньги у Solana-трейдеров Translation: Hackers in disguise: new Chrome extension siphons off money from Solana traders

A malicious browser extension for Google Chrome, named Crypto Copilot, has been discovered online, which siphons off hidden fees during cryptocurrency trades. This was brought to attention by researchers from Socket.

The tool enabled users to execute transactions on the Solana network «directly through the feed in X.» However, each transaction incurred additional fees amounting to at least 0.0013 SOL or 0.05% of the total amount.

The funds were routed to a wallet controlled by the attacker. Notably, the extension’s description does not mention these fees, which were obscured in the code using «confusing programming.»

«When a user performs a swap, Crypto Copilot generates the expected swap instruction via Raydium and then discreetly adds a second instruction that transfers SOL from the user to [the fraudster],» explained cybersecurity experts.

The extension connects to Phantom, Solflare, and other standard Solana wallets while also displaying token data from DexScreener. Its marketing headline highlights speed, convenience, and «one-click trading.»

As of the time of writing, Crypto Copilot remains available for download from the Chrome Web Store, despite Socket’s team having filed a complaint with Google. The extension has been operational since June 2024.

«The program connects to the webpage, recognizes tokens, and offers a swap button next to popular posts [in X]. To connect and sign transactions, it requests standard wallet permissions, which in itself is not unusual,» noted the researchers.

It is worth recalling that in August, the Jupiter team found a malicious Chrome extension named Bull Checker, which targeted asset theft within the Solana network.