Cybersecurity researchers have discovered a new malicious extension in the Chrome Web Store that can insert stealthy Solana transfers into swap transactions and transfer funds to an attacker-controlled crypto wallet.
The extension, named Crypto Copilot, was first published on May 7, 2024 by a user named ‘sjclark76’. The developer describes the browser add-on as offering the ability to “trade cryptocurrencies directly on X with real-time insights and seamless execution.” This extension has had 12 installations and is still available for download at the time of writing.
“Behind the interface, the extension injects additional transfers into every Solana swap, siphoning a minimum of 0.0013 SOL, or 0.05% of the transaction amount, into a hard-coded attacker-controlled wallet,” Sockets security researcher Kush Pandya said in a report on Tuesday.
Specifically, this extension contains obfuscated code that is activated when a user performs a Raydium swap and is manipulated to insert a private SOL transfer into the same signed transaction. Raydium is a decentralized exchange (DEX) and automated market maker (AMM) built on the Solana blockchain.
It works by adding a hidden SystemProgram.transfer util method to each swap before the user’s signature is required, sending the fee to a hardcoded wallet embedded in the code. Fees are calculated based on the trade amount, with a minimum of 0.0013 SOL, 2.6 SOL for trades, and 0.05% of the swap amount for trades above 2.6 SOL. To avoid detection, malicious behavior is hidden using techniques such as minification and variable renaming.
The extension also communicates with a backend hosted on the domain “crypto-coplilot-dashboard.vercel”.[.]app” to register connected wallets, earn points and referral data, and report user activity. Domain and “cryptocopilot”[.]app” does not host the actual product.
What is notable about this attack is that the user is completely unaware of the hidden platform fees and only the swap details are visible in the user interface. Additionally, Crypto Copilot leverages legitimate services such as DexScreener and Helius RPC to increase surface reliability.
“Because this transfer is added silently and sent to a personal wallet rather than the protocol treasury, most users will not notice it unless they examine each instruction before signing,” Pandya said. “The surrounding infrastructure appears to be designed solely for the purpose of passing Chrome Web Store review and feigning legitimacy while siphoning fees behind the scenes.”
Source link
