Cybersecurity researchers discovered a new malicious extension on the Chrome Web Store, and it injects a stealthy Solana transfer into a swap transaction, ultimately transferring the funds to an attacker-controlled cryptocurrency wallet.
The extension, named Crypto Copilot, first appeared from a user named “sjclark76” on May 7, 2024. The developer describes the browser add-on as offering the ability to “trade crypto directly on X with real-time insights and seamless execution.” As of writing, the extension has 12 installs and still remains available for download.
“Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet,” Socket security researcher Kush Pandya said in a Tuesday report.
Specifically, the extension incorporates obfuscated code, and it activates when a user performs a Raydium swap. It manipulates the transaction and injects an undisclosed SOL transfer into the same signed transaction. Raydium is a decentralized exchange (DEX) and automated market maker (AMM) built on the Solana blockchain.
The extension appends a hidden SystemProgram.transfer util method to each swap before requesting the user’s signature, and it sends the fee to a hard-coded wallet embedded in the code. Additionally, it calculates the fee based on the amount traded, charging a minimum of 0.0013 SOL for trades and 2.6 SOL plus 0.05% of the swap amount when the trade exceeds 2.6 SOL. To avoid detection, the extension conceals its malicious behavior using techniques like minification and variable renaming.
The extension also communicates with a backend hosted on the domain “crypto-coplilot-dashboard.vercel[.]app” to register connected wallets, fetch points and referral data, and report user activity. Moreover, the domain—along with “cryptocopilot[.]app”—does not host any real product.
What’s notable about the attack is that users stay completely in the dark about the hidden platform fee, and the user interface only shows the details of the swap. Furthermore, Crypto Copilot leverages legitimate services like DexScreener and Helius RPC to create a veneer of trust.
“Because this transfer is added silently and sent to a personal wallet rather than a protocol treasury, most users will never notice it unless they inspect each instruction before signing,” Pandya said. “The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.”
Source: TheHackerNews
Read more at Impreza News
