Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps
A malicious Chrome extension has been identified injecting hidden Solana blockchain transfer fees into Raydium decentralized exchange swaps. This covert manipulation results in users unknowingly paying extra fees during token swaps on Raydium, a popular Solana-based DeFi platform. The threat exploits users who interact with the Raydium interface via the compromised extension, altering transaction parameters without their consent. Although no known exploits in the wild have been reported yet, the high severity rating reflects the potential financial impact and trust erosion in DeFi tools. European organizations and individuals involved in cryptocurrency trading or DeFi activities on Solana are at risk of financial losses. Defenders should audit installed browser extensions, especially those related to cryptocurrency, and verify transaction details on-chain before approval. Countries with significant cryptocurrency adoption and active DeFi communities, such as Germany, the Netherlands, and the UK, are more likely to be affected. The threat is assessed as high severity due to direct financial impact, ease of exploitation through browser extension compromise, and lack of user awareness. Immediate mitigation involves removing suspicious extensions, using hardware wallets, and monitoring blockchain transactions for anomalies.
AI Analysis
Technical Summary
The threat involves a malicious Chrome browser extension that manipulates decentralized finance (DeFi) transactions on the Solana blockchain, specifically targeting swaps conducted on Raydium, a popular Solana-based decentralized exchange (DEX). This extension covertly injects additional Solana transfer fees into the swap transactions without user consent or knowledge. By altering the transaction parameters, the extension causes users to pay inflated fees, effectively siphoning funds during token swaps. The attack leverages the trust users place in browser extensions and the complexity of blockchain transactions, which often makes fee structures opaque to end users. Although no widespread exploitation has been reported yet, the stealthy nature of the manipulation and the financial consequences classify this as a high-severity threat. The attack vector is the installation of a compromised or malicious Chrome extension, which then intercepts and modifies transaction data in real-time. This threat highlights the risks associated with third-party browser extensions in the cryptocurrency ecosystem, especially in DeFi platforms where transactions are irreversible and fees are critical to transaction validity. The absence of a CVSS score necessitates an assessment based on impact and exploitability, confirming the high severity due to direct financial loss potential, ease of exploitation via extension installation, and the broad user base of Chrome and Solana DeFi platforms.
Potential Impact
For European organizations and individuals engaged in cryptocurrency trading or DeFi activities on the Solana network, this threat can lead to direct financial losses through unauthorized fee inflation. The injection of hidden fees undermines user trust in DeFi platforms and browser extensions, potentially causing reputational damage to affected entities. Financial institutions or fintech companies facilitating crypto transactions may face increased customer complaints or regulatory scrutiny if clients are impacted. The stealthy nature of the attack complicates detection, increasing the risk of prolonged exploitation. Additionally, the threat could disrupt normal trading activities on Raydium, affecting liquidity and market confidence. Given the irreversible nature of blockchain transactions, victims have limited recourse to recover lost funds. This could also slow adoption of DeFi services in Europe if users perceive the ecosystem as insecure. Overall, the financial and reputational impacts are significant, especially for entities with high exposure to Solana-based DeFi operations.
Mitigation Recommendations
1. Implement strict policies for browser extension installation, limiting users to vetted and trusted extensions only. 2. Educate users and employees about the risks of malicious extensions, emphasizing the importance of verifying extension sources and permissions. 3. Encourage the use of hardware wallets or secure transaction signing methods that do not rely solely on browser extensions. 4. Monitor transaction fees closely on Solana DeFi platforms to detect anomalies or unexpected fee increases. 5. Use browser security tools that can detect or block unauthorized script injections or transaction modifications. 6. Regularly audit and review installed extensions on organizational devices to identify and remove suspicious ones. 7. Collaborate with DeFi platform providers like Raydium to improve transparency of transaction fees and provide alerts for unusual fee patterns. 8. Promote multi-factor authentication and secure key management practices to reduce the risk of unauthorized transaction manipulation. 9. Stay updated with threat intelligence feeds related to browser extension threats and Solana ecosystem vulnerabilities. 10. Consider network-level controls to restrict access to known malicious domains or extension update servers.
Affected Countries
Germany, United Kingdom, Netherlands, France, Switzerland
Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps
Description
A malicious Chrome extension has been identified injecting hidden Solana blockchain transfer fees into Raydium decentralized exchange swaps. This covert manipulation results in users unknowingly paying extra fees during token swaps on Raydium, a popular Solana-based DeFi platform. The threat exploits users who interact with the Raydium interface via the compromised extension, altering transaction parameters without their consent. Although no known exploits in the wild have been reported yet, the high severity rating reflects the potential financial impact and trust erosion in DeFi tools. European organizations and individuals involved in cryptocurrency trading or DeFi activities on Solana are at risk of financial losses. Defenders should audit installed browser extensions, especially those related to cryptocurrency, and verify transaction details on-chain before approval. Countries with significant cryptocurrency adoption and active DeFi communities, such as Germany, the Netherlands, and the UK, are more likely to be affected. The threat is assessed as high severity due to direct financial impact, ease of exploitation through browser extension compromise, and lack of user awareness. Immediate mitigation involves removing suspicious extensions, using hardware wallets, and monitoring blockchain transactions for anomalies.
AI-Powered Analysis
Technical Analysis
The threat involves a malicious Chrome browser extension that manipulates decentralized finance (DeFi) transactions on the Solana blockchain, specifically targeting swaps conducted on Raydium, a popular Solana-based decentralized exchange (DEX). This extension covertly injects additional Solana transfer fees into the swap transactions without user consent or knowledge. By altering the transaction parameters, the extension causes users to pay inflated fees, effectively siphoning funds during token swaps. The attack leverages the trust users place in browser extensions and the complexity of blockchain transactions, which often makes fee structures opaque to end users. Although no widespread exploitation has been reported yet, the stealthy nature of the manipulation and the financial consequences classify this as a high-severity threat. The attack vector is the installation of a compromised or malicious Chrome extension, which then intercepts and modifies transaction data in real-time. This threat highlights the risks associated with third-party browser extensions in the cryptocurrency ecosystem, especially in DeFi platforms where transactions are irreversible and fees are critical to transaction validity. The absence of a CVSS score necessitates an assessment based on impact and exploitability, confirming the high severity due to direct financial loss potential, ease of exploitation via extension installation, and the broad user base of Chrome and Solana DeFi platforms.
Potential Impact
For European organizations and individuals engaged in cryptocurrency trading or DeFi activities on the Solana network, this threat can lead to direct financial losses through unauthorized fee inflation. The injection of hidden fees undermines user trust in DeFi platforms and browser extensions, potentially causing reputational damage to affected entities. Financial institutions or fintech companies facilitating crypto transactions may face increased customer complaints or regulatory scrutiny if clients are impacted. The stealthy nature of the attack complicates detection, increasing the risk of prolonged exploitation. Additionally, the threat could disrupt normal trading activities on Raydium, affecting liquidity and market confidence. Given the irreversible nature of blockchain transactions, victims have limited recourse to recover lost funds. This could also slow adoption of DeFi services in Europe if users perceive the ecosystem as insecure. Overall, the financial and reputational impacts are significant, especially for entities with high exposure to Solana-based DeFi operations.
Mitigation Recommendations
1. Implement strict policies for browser extension installation, limiting users to vetted and trusted extensions only. 2. Educate users and employees about the risks of malicious extensions, emphasizing the importance of verifying extension sources and permissions. 3. Encourage the use of hardware wallets or secure transaction signing methods that do not rely solely on browser extensions. 4. Monitor transaction fees closely on Solana DeFi platforms to detect anomalies or unexpected fee increases. 5. Use browser security tools that can detect or block unauthorized script injections or transaction modifications. 6. Regularly audit and review installed extensions on organizational devices to identify and remove suspicious ones. 7. Collaborate with DeFi platform providers like Raydium to improve transparency of transaction fees and provide alerts for unusual fee patterns. 8. Promote multi-factor authentication and secure key management practices to reduce the risk of unauthorized transaction manipulation. 9. Stay updated with threat intelligence feeds related to browser extension threats and Solana ecosystem vulnerabilities. 10. Consider network-level controls to restrict access to known malicious domains or extension update servers.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- InfoSecNews
- Reddit Score
- 1
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- thehackernews.com
- Newsworthiness Assessment
- {"score":52.1,"reasons":["external_link","trusted_domain","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- true
Threat ID: 6926fec1b9c2c409f8b5f62b
Added to database: 11/26/2025, 1:21:05 PM
Last enriched: 11/26/2025, 1:21:42 PM
Last updated: 12/4/2025, 10:09:30 PM
Views: 111
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
North Korean State Hacker's Device Infected with LummaC2 Infostealer Shows Links to $1.4B ByBit Breach, Tools, Specs and More
HighPrompt Injection Inside GitHub Actions
MediumSecond order prompt injection attacks on ServiceNow Now Assist
MediumContractors with hacking records accused of wiping 96 govt databases
HighCloudflare Blocks Aisuru Botnet Powered Largest Ever 29.7 Tbps DDoS Attack
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.