Security

Malicious Chrome Extension Siphons Funds from Solana DEX Swaps

A supply chain compromise via a malicious browser extension stealthily injects a hidden transfer instruction into every Solana swap, draining assets incrementally.
November 29, 20253 min

A luminous, translucent blue structure, adorned with glowing digital patterns and numerical data, twists around polished silver metallic components against a soft grey background. This intricate composition depicts a sophisticated technological system, highlighting interconnected data pathways and robust engineering
A close-up view presents intricate blue and silver mechanical and electronic components, featuring circuit board patterns, visible screws, and connecting wires. The foreground elements are sharply focused, contrasting with the blurred, glowing blue structures in the background

Briefing

A newly identified threat actor utilized a malicious Chrome browser extension, “Crypto Copilot,” to execute a stealthy, recurring theft against Solana-based decentralized exchange (DEX) users. The extension’s core function was to inject a hidden transfer instruction into legitimate Raydium swap transactions, siphoning a small percentage of the trade value without user knowledge. This novel, low-volume attack vector has proven highly effective at evading detection, accumulating an estimated total of over $1 million in stolen assets across numerous victims over 18 months, highlighting a critical blind spot in user-facing security.

The image displays two intricately designed, interlocking white structures, resembling futuristic rings or toruses, against a muted grey background. Within and around these structures, a dense, dynamic cascade of glowing blue and dark digital cubes and rectangular elements flows, suggesting complex data movement

Context

The prevailing attack surface for Web3 users has shifted from smart contract exploits to wallet-level compromises, specifically through social engineering and malicious software. This incident leverages the inherent trust users place in browser extensions and the common failure of wallet interfaces to display all granular transaction instructions. The risk was compounded by the Chrome Web Store’s inadequate moderation, allowing the malicious extension to remain active for over a year, establishing a long-term, low-profile drain mechanism.

A translucent blue cylindrical device, emitting an internal azure glow, is partially embedded within a bed of fine white granular material. A textured blue ring, encrusted with the same particles, surrounds the base of two parallel metallic rods extending outwards

Analysis

The attack compromised the client-side execution environment. The “Crypto Copilot” extension, marketed as a trading shortcut, was designed with obfuscated JavaScript to intercept and modify user-initiated swap transactions. Specifically, before the transaction was sent to the wallet for signing, the extension programmatically appended an additional, hidden transfer instruction to the transaction payload.

This instruction directed a small fee → a minimum of 0.0013 SOL or 0.05% of the swap value → to the attacker’s wallet. Because most wallet confirmation screens only summarize the primary swap action and not the full, low-level instruction set, the victim unknowingly signed a transaction that authorized the theft alongside their intended trade.

A highly detailed, futuristic mechanical component, rendered in shades of blue and silver, occupies the center of the frame. It features a complex cylindrical core with an intricate, almost organic lattice structure and a transparent, fluid-filled extension

Parameters

  • Total Siphoned Assets → Over $1,000,000; The estimated total loss accumulated from the recurring, small-percentage fee over the extension’s lifespan.
  • Vulnerability Vector → Malicious Chrome Extension (Crypto Copilot); The specific software used to execute the client-side transaction modification.
  • Theft Mechanism → Hidden Transaction Instruction Injection; The method of appending an unauthorized transfer instruction to a legitimate Solana swap.
  • Recurring Fee Structure → 0.05% of Swap Value or 0.0013 SOL Minimum; The small, incremental amount siphoned from each successful transaction.

A detailed perspective showcases advanced, interconnected mechanical components in a high-tech system, characterized by white, dark blue, and glowing electric blue elements. The composition highlights precision engineering with transparent blue conduits indicating dynamic energy or data transfer between modules

Outlook

Users must immediately revoke permissions for all non-essential or unverified browser extensions and treat any third-party wallet utility with extreme skepticism. The industry will likely establish new best practices requiring wallet providers to implement granular transaction decoding and “firewall” features that flag or block unexpected instructions within a transaction bundle. This incident establishes the “hidden instruction injection” as a critical new threat pattern, forcing a shift from only auditing smart contracts to also securing the user’s execution environment against supply chain compromises.

This attack confirms the escalating strategic shift by threat actors toward client-side social engineering and transaction manipulation, demanding that wallet security evolve beyond simple approval prompts.

client-side compromise, transaction decoding, wallet security flaw, user execution environment, malicious browser plugin, stealthy asset drain, slippage manipulation, obfuscated code, on-chain forensics, recurring theft model Signal Acquired from → ainvest.com

Micro Crypto News Feeds

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

execution environment

Definition ∞ An Execution Environment is a specialized virtual machine or runtime system where smart contracts and decentralized applications operate within a blockchain network.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

chrome extension

Definition ∞ A Chrome Extension is a small software program that customizes the browsing experience in Google Chrome.

solana

Definition ∞ Solana is a high-performance blockchain platform designed to support decentralized applications and cryptocurrencies with exceptional speed and low transaction costs.

fee structure

Definition ∞ A fee structure specifies the various charges and costs associated with transacting, interacting, or operating within a particular financial system, platform, or blockchain protocol.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: