If you’ve ever traded Solana (SOL), there’s a chance you’ve fallen victim to a sophisticated scam. A Google Chrome browser extension, posing as a handy tool, has been secretly siphoning off small amounts of SOL from transactions.
Crypto Copilot Skims from Solana Transactions #
Since June of this year, a Chrome extension has been stealthily skimming a portion of users’ Solana transactions. The extension, called Crypto Copilot, presents itself as a useful aid for crypto trading on the popular decentralized exchange Raydium on the Solana network.
The scam was discovered by the cybersecurity firm Socket. The research team revealed that Crypto Copilot steals a minimum of 0.05% or 0.0013 SOL from each transaction.
How the Chrome Extension Works #
For every transaction where a trader swaps Solana, Crypto Copilot adds something extra. First, the normal Raydium screen with instructions appears. Then, a second instruction is executed in the background.
This second instruction ensures that a minimum of 0.0013 SOL or 0.05% of the transaction is sent to an external crypto wallet—an address where crypto is stored. This address begins with Bjeida and ends with oxQff7 and is believed to belong to the scammer.
While the amounts may seem minimal, they add up to a significant sum. For example, a transaction of 100 SOL would net Crypto Copilot 0.05 SOL, which is worth over €6 at the current exchange rate. With many transactions being executed, this amount can quickly accumulate.
Furthermore, Raydium is a popular exchange. According to data from DefiLlama, its trading volume in the last 30 days alone was €14.33 billion.
Crypto Copilot Remains Active #
Although the cybersecurity firm has brought the issue to light, not everyone is yet aware of Crypto Copilot’s criminal activities. The reason users don’t notice it themselves is that they only see a summary of the transaction, in which the individual instructions are not visible.
Both instructions are executed automatically. Socket also noted that the scammer has hidden the extra transaction fees in complex code.
As of now, the extension has not yet been removed from the Chrome Web Store, although Socket has submitted a request to Google’s security team to do so.