Overview
- Researchers report that Crypto Copilot appends a hidden SystemProgram.transfer to Raydium swaps before users sign, causing the extra payment to execute atomically with the legitimate trade.
- The skimmed amount is a minimum of 0.0013 SOL or roughly 0.05% of the swap value, with coverage referencing a 2.6 SOL threshold that governs when the percentage fee applies.
- Socket says the extension relies on heavy code obfuscation and phones home to inactive or placeholder domains, including crypto-coplilot-dashboard.vercel.app and cryptocopilot.app, to register wallets and log activity.
- The Chrome Web Store listing, published in mid-2024 by a user named "sjclark76," shows only a small number of installs, and on-chain inflows to the attacker address remain limited so far.
- Socket filed a takedown request with Google and urges users to review signed instructions, revoke connections, and migrate funds to new wallets if they installed the extension.