According to a recent report, the “Crypto Copilot” Chrome extension is siphoning SOL from anyone who installs it.
The extension pretends to be a trading helper for Solana users, letting you execute swaps directly from X (Twitter) posts.
On the surface, it looks totally normal: it connects to standard wallets, shows DexScreener price data, and routes swaps through Raydium, Solana’s biggest AMM.
But underneath that UI, it secretly injects an extra instruction into every transaction you sign.
How it works
The extension quietly attaches a second instruction behind the scenes: a tiny, hidden SOL transfer to the attacker’s personal wallet.
You never see it in the UI. Wallets like Phantom only show a summary unless you manually expand the instruction list. So most users never notice an outbound transfer buried inside the same transaction.
The fee-extraction code itself is simple: it calculates either a tiny fixed fee or a tiny percentage of the trade, converts it to lamports, and then quietly adds a second instruction to the transaction that sends that amount to the attacker’s wallet.
What makes it dangerous is that this logic is buried inside heavily obfuscated JavaScript. On the surface, the UI looks completely legitimate, showing only the expected Raydium swap.
The extension also connects to a backend domain with a typo, which records wallet IDs, tracks activity, and pretends to provide “points” and referrals even though the actual website is empty and non-functional.
On-chain, the theft looks like tiny, ordinary SOL transfers sitting next to legitimate swaps. Hence, unless someone inspects instructions carefully or knows the attacker’s address, it blends in.. The fee is intentionally small enough to be ignored in the moment.
Dan Burgin
Vladislav Sopov
U.Today Editorial Team