Full Report
Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that's capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. The extension, named Crypto Copilot, was first published by a user named "sjclark76" on May 7, 2024. The developer describes the browser add-on as
Analysis Summary
# Tool/Technique: Crypto Copilot Malicious Chrome Extension
## Overview
Crypto Copilot is a malicious browser extension distributed via the Chrome Web Store that is designed to steal cryptocurrency, specifically Solana (SOL), from users executing token swaps on the Raydium decentralized exchange (DEX). It achieves this by silently injecting an unauthorized transfer instruction into the user's signed transaction.
## Technical Details
- Type: Malware (Malicious Browser Extension)
- Platform: Chrome Web Store (Targeting Chrome browser users)
- Capabilities: Modifying cryptocurrency transactions, siphoning funds to an attacker-controlled wallet, obfuscation, communication with a backend service.
- First Seen: May 7, 2024 (Date the extension was first published)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1588.002 - Obtain Capabilities: Acquire Software (Leveraging the legitimate Chrome Web Store distribution mechanism)
- **TA0008 - Lateral Movement** (Implied, if the extension facilitates further compromise, though direct evidence points to financial theft)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- *Note: While the transfer is the direct payload, the reporting/registration communication uses a C2 channel.*
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Using HTTP/S for backend communication)
- **TA0006 - Credential Access** (Potential, by interacting with wallet information but focused on transaction manipulation).
## Functionality
### Core Capabilities
- **Transaction Manipulation:** Detects when a user initiates a swap transaction on the Raydium DEX (Solana).
- **Hidden Transfer Injection:** Appends an undisclosed `SystemProgram.transfer` instruction to the transaction payload before the user requests cryptographic signature.
- **Fund Siphoning:** Transfers a portion of the user's SOL to a hardcoded attacker-controlled wallet (`Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7`).
- **Fee Structure:** Charges a minimum of 0.0013 SOL, or 0.05% of the swap amount if the trade is larger than 2.6 SOL (with a floor of 2.6 SOL).
### Advanced Features
- **Stealth and Evasion:** Utilizes code minification and variable renaming to conceal malicious logic from superficial review.
- **Legitimacy Veneer:** Leverages known, legitimate services like DexScreener and Helius RPC to appear trustworthy to users and aid in passing initial reviews.
- **Backend Communication:** Communicates with a backend server to register connected wallets, fetch extraneous data (points, referral info), and report user activity.
### Indicators of Compromise
- **Developer/Publisher:** "sjclark76"
- **Extension Name:** Crypto Copilot
- **Malicious Wallet Address:** Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7
- **Network Indicators (Defanged C2/Backend):**
- `crypto-coplilot-dashboard.vercel[.]app`
- `cryptocopilot[.]app`
- **Behavioral Indicators:** Injection of an unauthorized system program transfer instruction into verified Solana DEX swap transactions before user signing.
## Associated Threat Actors
- Currently attributed only to the developer pseudonym "sjclark76." No known established APT group affiliation is mentioned in the context.
## Detection Methods
- **Signature-based detection:** Signatures targeting the hardcoded malicious wallet address within transaction analysis tools.
- **Behavioral detection:** Monitoring of browser extensions that attempt to intercept or modify inputs/messages destined for known DeFi/Web3 interfaces (specifically Raydium) immediately prior to signature request.
- **Code Analysis:** Detection of systematic obfuscation techniques (minification, renaming) paired with the presence of Solana Web3 instruction manipulation logic.
## Mitigation Strategies
- **Prevention Measures:**
1. Users must meticulously review *every* instruction presented in the transaction signing prompt, checking for unknown transfer calls, especially on Solana where multiple instructions can be bundled.
2. Avoid installing browser extensions downloaded from external sources or those with unverified development history, even if listed on official stores.
- **Hardening Recommendations:**
1. Limit the permissions requested by installed browser extensions.
2. Use dedicated, non-custodial hardware wallets and sign transactions only after verifying the signer application is running as expected.
## Related Tools/Techniques
- General category of **Malicious Browser Extensions** targeting cryptocurrency users (e.g., extensions that steal seed phrases or inject malicious swap instructions).
- Malicious activity mimicking legitimate application functions (Poisoned update/extension technique).