Skip to main content
Security

Malicious Chrome Extension Siphons Funds from Solana DEX Swaps

A supply chain compromise via a malicious browser extension stealthily injects a hidden transfer instruction into every Solana swap, draining assets incrementally.
November 29, 20253 min

Two advanced, white and transparent blue mechanical components are depicted in a state of connection or close interaction, set against a dark background. The transparent outer casings reveal detailed internal structures, including luminous blue coiled elements that suggest active data or energy pathways
A metallic, gear-like component is prominently featured, partially submerged and surrounded by vibrant blue granular material within a structured enclosure. The detailed composition highlights the intricate interaction between the central mechanism and the surrounding elements

Briefing

A newly identified threat actor utilized a malicious Chrome browser extension, “Crypto Copilot,” to execute a stealthy, recurring theft against Solana-based decentralized exchange (DEX) users. The extension’s core function was to inject a hidden transfer instruction into legitimate Raydium swap transactions, siphoning a small percentage of the trade value without user knowledge. This novel, low-volume attack vector has proven highly effective at evading detection, accumulating an estimated total of over $1 million in stolen assets across numerous victims over 18 months, highlighting a critical blind spot in user-facing security.

The image displays a complex, highly polished metallic structure, featuring interconnected, twisting dark chrome elements against a soft, blurred deep blue background illuminated by subtle bokeh lights. The intricate design suggests a sophisticated, futuristic framework

Context

The prevailing attack surface for Web3 users has shifted from smart contract exploits to wallet-level compromises, specifically through social engineering and malicious software. This incident leverages the inherent trust users place in browser extensions and the common failure of wallet interfaces to display all granular transaction instructions. The risk was compounded by the Chrome Web Store’s inadequate moderation, allowing the malicious extension to remain active for over a year, establishing a long-term, low-profile drain mechanism.

The image presents two white, segmented cylindrical structures, with a vibrant stream of small blue particles and metallic rods flowing from one into the other, set against a backdrop of glowing blue, block-like crystalline formations. This visual abstractly portrays complex data exchange within a high-tech environment

Analysis

The attack compromised the client-side execution environment. The “Crypto Copilot” extension, marketed as a trading shortcut, was designed with obfuscated JavaScript to intercept and modify user-initiated swap transactions. Specifically, before the transaction was sent to the wallet for signing, the extension programmatically appended an additional, hidden transfer instruction to the transaction payload.

This instruction directed a small fee ∞ a minimum of 0.0013 SOL or 0.05% of the swap value ∞ to the attacker’s wallet. Because most wallet confirmation screens only summarize the primary swap action and not the full, low-level instruction set, the victim unknowingly signed a transaction that authorized the theft alongside their intended trade.

A complex metallic and blue mechanical structure, shaped like an 'X', is enveloped by white, cloud-like vapor against a gradient grey background. The intricate design features grilles and reflective surfaces, highlighting a high-tech cooling or energy transfer system

Parameters

  • Total Siphoned Assets ∞ Over $1,000,000; The estimated total loss accumulated from the recurring, small-percentage fee over the extension’s lifespan.
  • Vulnerability Vector ∞ Malicious Chrome Extension (Crypto Copilot); The specific software used to execute the client-side transaction modification.
  • Theft Mechanism ∞ Hidden Transaction Instruction Injection; The method of appending an unauthorized transfer instruction to a legitimate Solana swap.
  • Recurring Fee Structure ∞ 0.05% of Swap Value or 0.0013 SOL Minimum; The small, incremental amount siphoned from each successful transaction.

The image displays a futuristic, abstract mechanical assembly, characterized by translucent blue and opaque white components with metallic accents, set against a smooth gray background. Two primary structural elements, angled dynamically, appear to connect or disconnect around a central, glowing spherical component

Outlook

Users must immediately revoke permissions for all non-essential or unverified browser extensions and treat any third-party wallet utility with extreme skepticism. The industry will likely establish new best practices requiring wallet providers to implement granular transaction decoding and “firewall” features that flag or block unexpected instructions within a transaction bundle. This incident establishes the “hidden instruction injection” as a critical new threat pattern, forcing a shift from only auditing smart contracts to also securing the user’s execution environment against supply chain compromises.

This attack confirms the escalating strategic shift by threat actors toward client-side social engineering and transaction manipulation, demanding that wallet security evolve beyond simple approval prompts.

client-side compromise, transaction decoding, wallet security flaw, user execution environment, malicious browser plugin, stealthy asset drain, slippage manipulation, obfuscated code, on-chain forensics, recurring theft model Signal Acquired from ∞ ainvest.com

Micro Crypto News Feeds

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

execution environment

Definition ∞ An Execution Environment is a specialized virtual machine or runtime system where smart contracts and decentralized applications operate within a blockchain network.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

chrome extension

Definition ∞ A Chrome Extension is a small software program that customizes the browsing experience in Google Chrome.

solana

Definition ∞ Solana is a high-performance blockchain platform designed to support decentralized applications and cryptocurrencies with exceptional speed and low transaction costs.

fee structure

Definition ∞ A fee structure specifies the various charges and costs associated with transacting, interacting, or operating within a particular financial system, platform, or blockchain protocol.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: