Cybersecurity Threats: Malicious Chrome Extension Targets Solana Users
Full Transcript
Cybersecurity researchers have uncovered a malicious Chrome extension named Crypto Copilot, which is exploiting Solana users by injecting hidden transfer fees into swap transactions. According to a report from Socket security researcher Kush Pandya, this extension was published on the Chrome Web Store on May 7, 2024, by a user identified as sjclark76.
The developer claims that Crypto Copilot facilitates crypto trading with real-time insights and seamless execution, but it actually siphons off a minimum of 0.0013 SOL or 0.05% of each trade amount to a wallet controlled by the attacker.
The report details that the extension utilizes obfuscated code that activates during Raydium swaps, a decentralized exchange and automated market maker on the Solana blockchain. When a user initiates a swap, the extension appends a hidden SystemProgram.transfer method to the transaction before the user's signature is requested.
This method redirects the hidden fee to a hardcoded wallet embedded within the extension's code. Notably, the fees escalate to 2.6 SOL plus 0.05% of the swap amount for trades exceeding 2.6 SOL. The malicious behavior is disguised using tactics like minification and variable renaming, making it difficult for users to detect.
Additionally, the extension communicates with a backend hosted on the domain crypto-coplilot-dashboard.vercel[.]app, which does not offer any legitimate product but is used to register connected wallets, gather referral data, and report user activity.
The extension also employs legitimate services such as DexScreener and Helius RPC to create an illusion of reliability. Most users are unaware of the hidden fees, as the interface only displays details of the swap transaction itself.
Pandya emphasizes that since the transfer occurs silently and is directed to a personal wallet rather than a protocol treasury, users are unlikely to notice the additional charges unless they meticulously inspect each transaction instruction prior to signing.
The surrounding infrastructure of the extension appears solely designed to pass the Chrome Web Store's review process while enabling the siphoning of funds in the background, raising significant concerns over cybersecurity threats in the cryptocurrency realm.