Security

Malicious Chrome Extension Skims Solana User Swaps via Hidden Transaction Instruction

Browser extension supply chain risk is high; hidden transaction instructions execute perpetual, low-volume asset skimming from user trades.
November 28, 20254 min

A futuristic, translucent blue spherical object, resembling a secure network node, features a prominent central display. This display presents a dynamic candlestick chart, showing real-time price action with distinct bullish blue and bearish red patterns, partially veiled by metallic grilles
The image displays multiple metallic, cylindrical components, primarily in a vibrant blue hue with silver and chrome accents, arranged in a dynamic, interconnected configuration. The central component is in sharp focus, revealing intricate details like grooves, rings, and a complex end-piece with small prongs, while a fine, granular white substance partially covers the surfaces

Briefing

A supply chain attack has been identified on the Solana network, leveraging a malicious Chrome browser extension named “Crypto Copilot” to silently skim assets from user transactions. This attack vector bypassed standard wallet security summaries by injecting a second, unauthorized instruction into a legitimate swap transaction, which was then executed on-chain without user knowledge. The primary consequence is a continuous, long-tail financial drain on affected users, as the skimming mechanism was subtle enough to evade detection over a period of months. The single most important detail quantifying the event is the skimming rate of 0.05% of the swap value, or a minimum of 0.0013 SOL per transaction, designed for stealth and cumulative theft.

A detailed overhead perspective showcases a high-tech apparatus featuring a central circular basin vigorously churning with light blue, foamy bubbles. This core is integrated into a sophisticated framework of dark blue and metallic silver components, accented by vibrant blue glowing elements and smaller bubble clusters in the background

Context

The prevailing attack surface for the digital asset ecosystem includes third-party applications and browser extensions, which often operate with high-level permissions, creating a significant point of failure. This class of vulnerability is an evolution of the traditional wallet drainer, moving from an immediate, high-volume theft to a subtle, continuous skimming model. The inherent design of many blockchain transaction formats, which allow for multiple instructions to be batched and executed, creates an exploitable gap between the simplified transaction summary shown to the user and the full set of instructions submitted to the network.

A close-up perspective highlights a translucent, deep blue, organic-shaped material encasing metallic, cylindrical components. The prominent foreground component is a precision-machined silver cylinder with fine grooves and a central pin-like extension

Analysis

The incident’s technical mechanics centered on a malicious modification within the “Crypto Copilot” Chrome extension. When a user initiated a standard token swap through a legitimate decentralized exchange like Raydium, the extension intercepted the transaction data before it reached the user’s wallet for signing. The attacker’s code then programmatically appended a second, hidden instruction to the transaction payload, routing a small fraction of the output tokens to the attacker’s address.

The user interface and the wallet confirmation prompt only displayed the details of the legitimate swap instruction, successfully masking the secondary, malicious skimming instruction. This chain of cause and effect was successful because the Solana network executed all signed instructions atomically, including the hidden one, leveraging the user’s implicit trust in the browser extension.

White, segmented structures interlock, forming a complex, linear apparatus. Transparent, blue-glowing sections embedded within display intricate digital circuitry and binary data

Parameters

  • Attack Vector → Malicious Chrome Extension – The core vector was a compromised third-party browser tool used for “trade instantly from Twitter.”
  • Affected BlockchainSolana Network – The exploit targeted the instruction-based transaction model of the Solana blockchain.
  • Skimming Rate → 0.05% per transaction – The percentage of the swap value silently diverted to the attacker’s address, or 0.0013 SOL minimum.
  • Duration of Operation → Active since June 2025 – The extension was operational and skimming funds for several months before public disclosure.

A dynamic blue liquid splash emerges from a sophisticated digital interface displaying vibrant blue data visualizations. The background reveals intricate metallic structures, suggesting a robust hardware component or network node

Outlook

Immediate mitigation requires users to conduct a full audit of all installed browser extensions and revoke token approvals granted to any suspicious or non-essential smart contracts. This incident will likely establish a new security best practice, demanding that wallet providers implement more granular and transparent transaction simulation tools capable of parsing and displaying all instructions within a single transaction bundle. The contagion risk is high for other ecosystems utilizing multi-instruction transaction models, prompting a necessary re-evaluation of security posture for all front-end interfaces that interact with on-chain protocols.

The image displays abstract, layered forms composed of smooth, matte white and vibrant, glowing blue elements. These forms interweave and overlap, creating a sense of depth and dynamic movement, with the blue elements appearing to emanate light from within a central core

Verdict

The incident confirms that supply chain attacks leveraging subtle transaction manipulation represent a persistent, long-tail risk that traditional wallet interfaces fail to mitigate.

Solana network, Chrome extension, Supply chain attack, Wallet drainer, Transaction skimming, Hidden instruction, On-chain theft, Permission abuse, Swap execution, Decentralized exchange, Browser security, Token transfer, Digital asset risk, Continuous theft, Low volume skimming, Web3 security, User interface spoofing, On-chain forensic, Token allowance, Security posture Signal Acquired from → binance.com

Micro Crypto News Feeds

supply chain attack

Definition ∞ A supply chain attack targets the software or hardware supply chain of a digital asset service or platform.

wallet drainer

Definition ∞ A wallet drainer is a type of malicious software or script designed to steal funds from cryptocurrency wallets.

decentralized exchange

Definition ∞ A Decentralized Exchange (DEX) is a cryptocurrency trading platform that operates without a central intermediary or custodian.

browser extension

Definition ∞ A browser extension is a small software program that adds specific features to a web browser.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

solana network

Definition ∞ The Solana Network is a high-performance blockchain platform designed for decentralized applications and cryptocurrencies.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

supply chain

Definition ∞ A supply chain is the network of all the individuals, companies, resources, activities, and technologies involved in the creation and sale of a product, from the delivery of source materials from the supplier to the manufacturer, through to its eventual sale to the end consumer.

Tags:

Tags: