Overview
- Security researcher Kush Pandya at Socket found the extension silently appends a SystemProgram.transfer to Raydium swaps before users sign, sending SOL to a hard-coded attacker wallet.
- The hidden charge takes a minimum of 0.0013 SOL or 0.05% of the trade, and for larger swaps a 2.6 SOL plus 0.05% rule applies, none of which is disclosed to users.
- The code is heavily obfuscated and the extension phones home to crypto-coplilot-dashboard.vercel.app and a parked cryptocopilot.app, while leaning on DexScreener and Helius to appear legitimate.
- Socket reported that funds collected on-chain remain limited, but warned that losses scale with adoption and trade size, and noted the Chrome Web Store listing is still available.
- Users who installed Crypto Copilot are urged to remove it, review every instruction before signing, revoke connected sites, and move assets to a clean wallet.