Security researchers at Socket have uncovered a sophisticated crypto scam targeting Solana traders through the Crypto Copilot Chrome extension. The malicious tool has been quietly draining 0.05% from every Raydium swap while transmitting sensitive wallet information to suspicious servers, marking the latest evolution in browser-based cryptocurrency attacks.

A newly identified Chrome extension marketed as a Solana trading assistant has been caught red-handed stealing funds from unsuspecting cryptocurrency traders, according to security researchers at Socket. The extension, called Crypto Copilot, has been skimming an additional 0.05% fee from every swap conducted through the Raydium decentralized exchange.

The malicious extension, which integrated with X (formerly Twitter) to provide trading functionality, employed multiple deceptive tactics beyond the hidden fee structure. Socket's investigation revealed that the extension was also harvesting wallet data and transmitting it to a blank backend domain, raising serious concerns about the potential for future exploitation of compromised user information.

What makes this attack particularly insidious is the subtle nature of the theft. At just 0.05% per transaction, the skimmed amount is small enough to avoid immediate detection by most traders, who might attribute the discrepancy to normal slippage or network fees. However, when aggregated across potentially thousands of users and transactions, the total stolen amount could be substantial.

This incident underscores a disturbing trend in cryptocurrency security threats. Despite overall crypto losses declining in 2025 compared to previous years, browser extension attacks have been increasing in both frequency and sophistication. Malicious actors are capitalizing on the growing popularity of browser-based crypto tools and the trust users place in extensions that appear legitimate.

Security experts recommend several precautions for crypto traders. First, only install extensions from verified developers with established reputations and transparent backgrounds. Second, carefully review the permissions requested by any extension before installation. Third, conduct small test transactions before committing significant funds through any new trading tool.

The Crypto Copilot case also highlights the importance of the broader security community. Socket's researchers discovered the malicious activity through proactive monitoring, demonstrating the value of ongoing vigilance in the cryptocurrency ecosystem.

Traders who may have used the Crypto Copilot extension should immediately remove it, consider rotating their wallet security credentials, and monitor their transaction history for suspicious activity. As the crypto industry continues to mature, incidents like this serve as stark reminders that convenience must never come at the expense of security due diligence.