In the fast-paced world of cryptocurrency trading, where every swap can mean the difference between profit and loss, security threats lurk in the most unexpected places. A seemingly innocuous Chrome browser extension has emerged as a new nightmare for Solana users, quietly siphoning funds from wallets without raising alarms. Dubbed “Crypto Copilot,” this malicious tool highlights the evolving sophistication of crypto scams—and serves as a stark reminder to scrutinize every app you install.
The Deceptive Allure of Crypto Copilot
Launched on the Chrome Web Store in June 2024, Crypto Copilot was marketed as a game-changer for Solana traders. Promising to streamline trades directly from users’ X (formerly Twitter) feeds, it appealed to those juggling high-volume swaps on decentralized exchanges like Raydium. At first glance, it appeared legitimate: a shortcut to faster execution in a market where speed is king.
But beneath the polished facade lies a cunning exploit. Once installed, the extension injects hidden code into your browsing session. Specifically, it appends an unauthorized instruction to every Solana swap transaction on Raydium. This sneaky addition diverts a portion of your funds—either 0.05% of the trade value or a flat minimum of 0.0013 SOL (whichever is greater)—straight to the attacker’s wallet address, identified as “Bjeida.”
The theft is subtle and scalable. For a small trade under 2.6 SOL, you’re hit with the minimum fee. But for larger volumes, the 0.05% cut adds up quickly. High-frequency traders could bleed thousands over time without a single red flag in their transaction history. The extension’s JavaScript is heavily obfuscated, making it tough for casual users to spot, and it even phones home wallet details and activity logs to a shady backend at crypto-coplilot-dashboard.vercel.app, powered by a hardcoded Helius API key.
As investigators from the security firm Socket note, “The extension secretly appends an extra instruction to each Solana swap, siphoning 0.05% or at least 0.0013 SOL from the user’s wallet into the attacker’s address.” This isn’t a one-off heist; it’s a persistent parasite that feeds on your trading habits.
A Growing Toll on the Crypto Ecosystem
The exact number of victims remains unclear, as the extension’s distribution appears limited—on-chain traces to the attacker’s wallet show modest activity so far. However, the potential for widespread damage is alarming. Solana’s ecosystem, known for its lightning-fast transactions and low fees, has attracted millions of users, making it a prime target for such low-and-slow attacks.
In the broader context, this incident underscores a troubling trend. Browser extensions have become one of the most insidious vectors for crypto theft in 2025. According to recent reports, wallet-related breaches alone accounted for $1.7 billion of the $2.2 billion stolen in the first half of the year, with phishing scams adding another $410 million. Just weeks ago, researchers uncovered over 40 fake Firefox extensions mimicking popular wallet providers, draining users in similar fashion. Socket’s team warns that mechanisms like this “scale with trading activity, meaning high-volume users could lose larger amounts over time without noticing the incremental drain.”
For Solana traders, the pain is compounded by the platform’s user-friendly interfaces. Most wallet apps display only high-level swap summaries in confirmation pop-ups, hiding the malicious add-on in plain sight. You think you’re just approving a simple trade—until your balance mysteriously erodes.
How to Protect Yourself: Detection and Defense
The good news? Crypto Copilot is still detectable, though Google hasn’t yet pulled it from the Web Store despite a takedown request from Socket. Here’s how to safeguard your setup:
- Immediate Action: If you’ve installed Crypto Copilot, uninstall it right away via Chrome’s Extensions menu (chrome://extensions/). Search for it by name and hit “Remove.”
- Spot the Fakes: Before adding any extension, verify its developer, read recent reviews, and cross-check against official sources. Legitimate tools like this one? They don’t exist in a vacuum—check for active support sites, documentation, and community buzz. Crypto Copilot’s domain (cryptocopilot.app) is a parked placeholder with zero substance.
- Transaction Vigilance: Always review full transaction details in your wallet app (e.g., Phantom or Solflare) before signing. Look for unexpected transfers or unfamiliar addresses. Tools like Solana Explorer can help audit past swaps for anomalies.
- Layered Security: Enable two-factor authentication everywhere, use hardware wallets for big trades, and consider extension blockers or sandboxed browsers for crypto activities. Security audits from firms like Socket are your friend—follow their feeds for real-time alerts.
- Report and Recover: If you’ve been hit, report to Google (via the Web Store) and platforms like Raydium. Tracing funds to “Bjeida” might aid recovery efforts, though crypto’s irreversible nature makes this an uphill battle.
A Wake-Up Call for Smarter Crypto Habits
The rise of Crypto Copilot isn’t just a tech glitch—it’s a symptom of crypto’s maturation pains. As adoption surges, so do the wolves in sheep’s clothing. This extension preys on our love for convenience, turning a helpful tool into a hidden tax on every trade.
For traders, the lesson is clear: In a space where trust is earned byte by byte, skepticism is your best armor. Stay informed, audit your extensions, and remember— if it sounds too good to be true, it probably is. Solana’s speed is its strength, but only if we outpace the scammers.
As 2025 draws to a close, let’s hope Google’s swift action and community vigilance clip this copilot’s wings for good. Your wallet will thank you.