Malicious Chrome Extension Crypto Copilot Siphons SOL from Users

Socket’s Threat Research Team discovered a malicious Chrome extension, Crypto Copilot, published on June 18, 2024. The extension, marketed as a tool to execute trades instantly from social media feeds, secretly injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to an attacker-controlled wallet. The fee behavior is hidden within heavily obfuscated code and is not disclosed on the Chrome Web Store listing. Users sign what appears to be a single swap, but both instructions execute atomically on-chain. The extension remains available, and a takedown request has been submitted to Google’s Chrome Web Store security team.

Latest mentioned: 11-27

Earliest mentioned: 11-26

Sources

socket.dev thehackernews.com securityonline.info gbhackers.com

Also Read

StealC V2 Malware Spread via Blender Files on 3D Sites

Cybersecurity firm Morphisec reported that StealC V2 infostealer is being spread through malicious Blender files on 3D model marketplaces. The malware abuses Blender’s ability to run Python scripts for automation and add-ons. The campaign, active for at least six months, involves implanting malicious .blend files on platforms like CGTrader. Users unknowingly download these files, which execute embedded Python scripts upon opening in Blender. The attack chain begins with a tampered Rig_Ui.py script embedded inside the .blend file, which fetches a loader from a remote domain, downloading a PowerShell stage and ZIP archives containing Python-based stealers. The malware creates LNK files to secure persistence and uses Pyramid C2 channels to retrieve encrypted payloads. StealC V2 now targets more than 23 browsers, over 100 plugins, more than 15 desktop wallets, and a range of messaging, VPN, and mail clients.

11-26Read more →