Cybersecurity researchers identified a malicious Chrome extension named Crypto Copilot, published on May 7, 2024, which targets users performing swaps on Raydium, a decentralized exchange on the Solana blockchain. The extension injects a hidden transfer instruction into the signed transaction that siphons a stealth fee to a hardcoded attacker wallet. This fee is calculated as a minimum of 0.0013 SOL or 0.05% of the swap amount, with a cap at 2.6 SOL for larger trades. The malicious code is obfuscated through minification and variable renaming to evade detection during Chrome Web Store review and by users. Crypto Copilot also communicates with a backend server to register wallets and report user activity, further indicating a coordinated attack infrastructure. The attack exploits the trust users place in browser extensions and the complexity of blockchain transactions, where users often do not inspect every instruction before signing. By leveraging legitimate services like DexScreener and Helius RPC, the extension masks its malicious behavior behind a veneer of legitimacy. Although the extension has limited installs, its presence on the official Chrome Web Store and stealthy operation make it a significant threat to Solana users. No known exploits in the wild have been reported beyond this discovery, but the potential for financial theft is clear. The attack highlights risks inherent in decentralized finance (DeFi) ecosystems where user transaction approval is critical and can be manipulated by compromised client-side software.

For European organizations, especially those involved in cryptocurrency trading, blockchain development, or financial services integrating Solana-based DeFi platforms, this threat could lead to direct financial losses through unauthorized siphoning of funds during swaps. Users may unknowingly lose small but cumulative amounts of SOL, impacting individual traders and potentially institutional wallets if used via compromised browsers. The stealth nature of the attack complicates detection and forensic analysis, increasing risk exposure. Loss of trust in browser-based crypto tools could also harm the reputation of European crypto service providers. Additionally, organizations relying on employee use of such extensions may face indirect impacts through compromised operational funds or client assets. Given the extension’s presence on the Chrome Web Store, the threat extends to any European user of Chrome performing Solana swaps, increasing the attack surface. Regulatory compliance risks may arise if organizations fail to protect client assets or do not adequately inform users about such threats. The attack underscores the need for stringent controls around third-party software in crypto environments.

European organizations should implement strict policies restricting the installation of unvetted browser extensions, especially those related to cryptocurrency trading. Users must be educated to verify transaction details carefully before signing, including inspecting all instructions in blockchain transactions. Employing hardware wallets or dedicated transaction-signing devices can reduce risk by isolating signing from potentially compromised browsers. Security teams should monitor network traffic for unusual communications to suspicious domains like crypto-coplilot-dashboard.vercel.app and block them via DNS or firewall rules. Regular audits of browser extensions installed on corporate devices are essential, removing any that are not explicitly approved. Organizations should encourage use of official or well-reviewed crypto tools and maintain up-to-date threat intelligence feeds to detect emerging malicious extensions. Collaboration with browser vendors to report and expedite removal of malicious extensions is critical. Finally, integrating transaction anomaly detection systems that flag unexpected transfer instructions in blockchain transactions can provide an additional layer of defense.