Amidst the hot-wallet breach at South Korea’s Upbit, the Solana ecosystem has been hit by an entirely different kind of attack. Cybersecurity firm Socket discovered that Solana traders were secretly attacked for months via a malicious Chrome extension operating under the name ‘Crypto Copilot’. This extension targeted users trading on the popular Solana DEX, Raydium, secretly skimming small fees from every swap they executed. The extension was available as a utility tool on the Chrome Web Store since June. This prolonged operation highlights the subtle nature of the attack and its ability to evade detection.
The Exploit Mechanism: Secret Instructions and Atomic Execution
The most critical aspect of this attack was its use of a technical feature of the Solana transaction system. When users initiated a swap on Raydium, the ‘Crypto Copilot’ extension injected a second, hidden instruction into the transaction bundle. The goal of this hidden instruction was to transfer a small fee—either 0.05% of the trade amount or a fixed amount of 0.0013 SOL—to a wallet controlled by the attacker.
The success of this exploit relies on Solana’s Atomic Execution. Solana transactions can bundle multiple operations (instructions) into a single atomic unit. Wallet interfaces typically present these complex instructions to users as a simple summary, such as “Swap.” When users press the “Approve” button, they are simultaneously consenting not only to the known swap instruction but also to the fee transfer instruction secretly injected by the malware. Thus, both the trade and the theft occur in a single operation. This is a form of Transaction Poisoning that compromises the inherent integrity of the transaction.
Scope of Impact and Attack Methodology
While on-chain flows initially indicated that only a small amount of money was collected, the sophistication of the attack lies in its sustained nature. The minute fee of 0.05% was designed to easily blend in with normal network fees or minor price slippage, making it difficult for users or security systems to notice. This low-profile skimming methodology allowed the attack to persist for months. The attack scaled with the size of the trade, charging the 0.05% fee for trades over 2.6 SOL. This meant larger trades (e.g., a 100 SOL swap) yielded more money for the attacker (about 0.05 SOL).
Erosion of Trust in Browser Extensions
The fact that this malware was available on the Chrome Web Store since June raises a significant security issue. It exposes gaps in the security screening process of browser extension stores that millions of users rely on. Cybersecurity firm Socket requested Google to remove the extension. However, this incident clearly demonstrates the danger of trusting closed-source extensions—whose source code cannot be reviewed—especially for finance-related tools.
Security Warnings and User Advice
Socket has provided serious recommendations for users to protect themselves from this attack. Users who suspect they interacted with ‘Crypto Copilot’ must immediately transfer their assets to a new wallet. Continuing to use the old wallet does not remove the risks, even after the extension has been removed.
Users are advised to:
- Avoid closed-source extensions that request signing privileges.
- If possible, only use open-source extensions whose code can be publicly audited.
- Use a separate browser or wallet setup dedicated only to DeFi trading.
- Wherever possible, use Hardware Wallets (e.g., Ledger, Trezor) to approve transactions.
- Always verify the full transaction details (including all instructions) and not just the summarized information displayed on your wallet interface.
DeFi’s New Security Challenge
This attack shifts our perspective on crypto security from the code of the Smart Contract to the Client-side/Browser Environment of the user. DeFi is meant to be a trustless financial system, but ‘Crypto Copilot’ proved that the chain can be broken by trusting third-party service providers like browser extensions. This incident underscores the urgent need for crypto users to drastically change how they interact with browser extensions to ensure self-custody.
