Security Breach: Chrome Extension Targets Solana Users
Full Transcript
Cybersecurity researchers have uncovered a malicious Chrome extension named Crypto Copilot that targets Solana users. First published on May 7, 2024, by a user identified as sjclark76, the extension claims to offer seamless crypto trading with real-time insights but has a hidden agenda.
According to a report by Socket security researcher Kush Pandya, the extension is capable of injecting an additional transfer into every Solana swap transaction, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a wallet controlled by the attacker.
This occurs specifically during transactions on Raydium, a decentralized exchange built on the Solana blockchain. The malicious code is obfuscated to hide its true intentions, activating only when users perform a Raydium swap.
The extension appends a hidden SystemProgram.transfer method to the swap transactions before the user is prompted to sign. This covert operation sends fees not to a protocol treasury but directly to the attacker's wallet, making it hard for users to notice unless they thoroughly inspect each transaction.
The fee structure includes a base charge of 0.0013 SOL for small trades and a higher charge of 2.6 SOL plus 0.05% of the swap amount for larger trades exceeding 2.6 SOL. The extension communicates with a backend server hosted on the domain crypto-coplilot-dashboard.vercel.app, which is linked to the malicious activities, including registering connected wallets and reporting user activity.
Notably, the domains crypto-coplilot-dashboard.vercel.app and cryptocopilot.app do not offer any legitimate product, further indicating their fraudulent nature. To maintain the facade of legitimacy, Crypto Copilot makes use of established services such as DexScreener and Helius RPC.
The report emphasizes that users are completely unaware of the hidden fees, as the user interface only displays the swap details. This significant security breach highlights the ongoing vulnerabilities within the cryptocurrency ecosystem and raises urgent alarms for both users and developers in this space.
The extension currently has 12 installs and remains available for download, prompting concerns over user safety and the necessity for enhanced security measures within the cryptocurrency sector.