Cybersecurity researchers have uncovered a malicious Chrome extension named Crypto Copilot, which secretly siphons funds from users during Solana transactions. Published on May 7, 2024, by a user named "sjclark76," the extension has only 12 installs but remains available on the Chrome Web Store. It claims to facilitate crypto trading on X with real-time insights, but its true function is far more nefarious. The extension injects an unauthorized transfer into every Solana swap executed through the decentralized exchange Raydium. When users initiate a swap, the extension appends a hidden transfer command that takes at least 0.0013 SOL or 0.05% of the trade amount, directing these funds to a wallet controlled by the attacker. This operation is concealed with obfuscated code, making it difficult for users to detect the added fee unless they scrutinize every transaction detail before signing. Crypto Copilot communicates with a backend hosted on a domain that doesn’t support any legitimate product, further masking its malicious intent. It also employs trusted services, like DexScreener and Helius RPC, to create a false sense of security. Users are kept unaware of the hidden fees, as the interface only displays the swap details, allowing the extension to operate unnoticed while siphoning off funds.