Overview
- Socket researcher Kush Pandya reports the extension appends a hidden SystemProgram.transfer to Raydium swaps before users sign the transaction.
- The siphoned amount is the greater of 0.0013 SOL or 0.05% of the trade, rising to 2.6 SOL plus 0.05% for swaps above 2.6 SOL.
- Crypto Copilot was published on May 7, 2024 by a user identified as “sjclark76” and shows 12 installs, with the Chrome Web Store listing still available.
- The code is obfuscated and the extra transfer is not shown in the swap interface, leaving most users unaware unless they inspect each instruction.
- The extension contacts backend domains including crypto-coplilot-dashboard.vercel.app and cryptocopilot.app and leverages DexScreener and Helius to appear legitimate.