Skip to main content
Security

Malicious Chrome Extension Skims Solana User Swaps via Hidden Transaction Instruction

Browser extension supply chain risk is high; hidden transaction instructions execute perpetual, low-volume asset skimming from user trades.
November 28, 20254 min

The image displays an intricate, ring-shaped arrangement of interconnected digital modules. These white and gray block-like components feature glowing blue sections, suggesting active data transfer within a complex system
Two white, futuristic modular units, resembling blockchain infrastructure components, interact within a dynamic, translucent blue medium. A brilliant blue energy field, bursting with luminous bubbles, signifies robust data packet transfer between them, emblematic of a high-speed data oracle feed

Briefing

A supply chain attack has been identified on the Solana network, leveraging a malicious Chrome browser extension named “Crypto Copilot” to silently skim assets from user transactions. This attack vector bypassed standard wallet security summaries by injecting a second, unauthorized instruction into a legitimate swap transaction, which was then executed on-chain without user knowledge. The primary consequence is a continuous, long-tail financial drain on affected users, as the skimming mechanism was subtle enough to evade detection over a period of months. The single most important detail quantifying the event is the skimming rate of 0.05% of the swap value, or a minimum of 0.0013 SOL per transaction, designed for stealth and cumulative theft.

A pristine white spherical object, partially open, reveals a complex array of glowing blue and dark internal mechanisms. These intricate components are arranged in geometric patterns, suggesting advanced digital infrastructure and active processing

Context

The prevailing attack surface for the digital asset ecosystem includes third-party applications and browser extensions, which often operate with high-level permissions, creating a significant point of failure. This class of vulnerability is an evolution of the traditional wallet drainer, moving from an immediate, high-volume theft to a subtle, continuous skimming model. The inherent design of many blockchain transaction formats, which allow for multiple instructions to be batched and executed, creates an exploitable gap between the simplified transaction summary shown to the user and the full set of instructions submitted to the network.

A central white sphere is surrounded by vibrant blue particulate matter and intersecting white circular structures, all set against a dark blue background. Thin, white filaments extend outwards, connecting to smaller spherical elements, evoking a sense of complex connectivity

Analysis

The incident’s technical mechanics centered on a malicious modification within the “Crypto Copilot” Chrome extension. When a user initiated a standard token swap through a legitimate decentralized exchange like Raydium, the extension intercepted the transaction data before it reached the user’s wallet for signing. The attacker’s code then programmatically appended a second, hidden instruction to the transaction payload, routing a small fraction of the output tokens to the attacker’s address.

The user interface and the wallet confirmation prompt only displayed the details of the legitimate swap instruction, successfully masking the secondary, malicious skimming instruction. This chain of cause and effect was successful because the Solana network executed all signed instructions atomically, including the hidden one, leveraging the user’s implicit trust in the browser extension.

A central metallic mechanism anchors four translucent, white-textured blades, intricately veined with vibrant blue liquid-like channels. These dynamic structures emanate from the core, suggesting rapid data flow and advanced computational processing crucial for modern distributed ledger technologies

Parameters

  • Attack Vector ∞ Malicious Chrome Extension – The core vector was a compromised third-party browser tool used for “trade instantly from Twitter.”
  • Affected BlockchainSolana Network – The exploit targeted the instruction-based transaction model of the Solana blockchain.
  • Skimming Rate ∞ 0.05% per transaction – The percentage of the swap value silently diverted to the attacker’s address, or 0.0013 SOL minimum.
  • Duration of Operation ∞ Active since June 2025 – The extension was operational and skimming funds for several months before public disclosure.

A futuristic, white and grey hexagonal module is centrally positioned, flanked by cylindrical components on either side. Bright blue, translucent energy streams in concentric rings connect these elements, converging on the central module, suggesting active data processing

Outlook

Immediate mitigation requires users to conduct a full audit of all installed browser extensions and revoke token approvals granted to any suspicious or non-essential smart contracts. This incident will likely establish a new security best practice, demanding that wallet providers implement more granular and transparent transaction simulation tools capable of parsing and displaying all instructions within a single transaction bundle. The contagion risk is high for other ecosystems utilizing multi-instruction transaction models, prompting a necessary re-evaluation of security posture for all front-end interfaces that interact with on-chain protocols.

A high-tech, white modular apparatus is depicted in a state of connection, with two primary sections slightly apart, showcasing complex internal mechanisms illuminated by intense blue light. A brilliant, pulsating blue energy stream, representing a secure data channel, actively links the two modules

Verdict

The incident confirms that supply chain attacks leveraging subtle transaction manipulation represent a persistent, long-tail risk that traditional wallet interfaces fail to mitigate.

Solana network, Chrome extension, Supply chain attack, Wallet drainer, Transaction skimming, Hidden instruction, On-chain theft, Permission abuse, Swap execution, Decentralized exchange, Browser security, Token transfer, Digital asset risk, Continuous theft, Low volume skimming, Web3 security, User interface spoofing, On-chain forensic, Token allowance, Security posture Signal Acquired from ∞ binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

wallet drainer

Definition ∞ A wallet drainer is a type of malicious software or script designed to steal funds from cryptocurrency wallets.

decentralized exchange

Definition ∞ A Decentralized Exchange (DEX) is a cryptocurrency trading platform that operates without a central intermediary or custodian.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

solana network

Definition ∞ The Solana Network is a high-performance blockchain platform designed for decentralized applications and cryptocurrencies.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: