Malicious chrome extension injects hidden SOL fees into solana swaps

[_act_]

A chrome extension with Raydium swaps secretly making people lose money as fee, the money list in fee can be  0.0013 SOL or 0.05% of the trade amount to a wallet controlled by the extension developer.

https://socket.dev/blog/malicious-chrome-extension-injects-hidden-sol-fees-into-solana-swaps

No mention of the fee in extension but was charged in an hidden way.

Is this a kind of scam?

[sokani]

Of course, it's a scam.

For persons who did not read the article, the name of the malicious extension is Crypto Pilot. Felt it's necessary for people to know, so they be mindful of it.



Despite it being reported to Google, according to the writer, I'm surprised the malicious extension is still up and running on the Chrome Web Store.

I think this post should be moved to the beginners and help board.

[Shishir99]

Thanks for the info.

However, I believe this thread belongs on the Scam Accusation board, as we are discussing crypto scams. I don't know how to report extensions, and even if people report them, I am unsure if Google cares about them. I have heard about a lot of Android apps that are available on Google play store and those apps steal users data, plus there are some fake crypto apps that are scam. If google do not remove these apps, I am unsure if they will care about the extension.

[_act_]

Despite it being reported to Google, according to the writer, I'm surprised the malicious extension is still up and running on the Chrome Web Store.

That is one thing about Google but I do not know if Google is seeing is as scam, but if Google is seeing it as scam, they are very slow to take actions. There have been some that have been reported before but it can take many hours or some days before it would be taken down. It will be good if you are all reporting it also, because the more the report, the faster Google will look into it.

[JeromeTash]

I don't know how to report extensions,

There is the link


The App or extension appeared to be so active about 10 months ago and looking at the transaction history, there are no recent ones which mean either people abandoned using it or they changed the deposit address

Here is the transaction history of the hacker's address - https://solscan.io/account/Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg73oxQff7

[TryNinja]

The thing is that a extension that provides you a service, like swaping from your X feed, could charge a fee for this convenience. The problem is that the fee isn’t disclosed and not only that but they went as far as obfuscating the code to hide it from anyone looking around. That implies a malicious intent.

If they clearly said there is a free, then there would be no issues with that.

[Forsyth Jones]

Wow, we have a "modest" malware here, instead of it draining the entire balance of the wallet, it diverts a certain amount through the fees, lol.

That is why I avoid using Bitcoin/crypto-related extensions on chrome/brave, as you are much more likely to contract malware with a crypto extension than an non-crypto-related.

...I have heard about a lot of Android apps that are available on Google play store and those apps steal users data, plus there are some fake crypto apps that are scam. If google do not remove these apps, I am unsure if they will care about the extension.

A good way to avoid falling victim to malicious software and extensions is by carefully checking the permissions that the App requests before downloading it, a calculator doesn't need to have access to your contacts and microphone and so on.
Thanks OP for reporting this.

[Pmalek]

The drainer extension has been available since the summer of 2024 but it's malicious nature has only been discovered now. The reason for that is surely that its developer only stole a small percentage per swap. Smartly done, but still dangerous for end-users. The developer can update the extension any day and introduce new code that takes a bigger percentage or all of the crypto and/or infects the host computers with malware that can cause more problems.

[albon]

The drainer extension has been available since the summer of 2024 but it's malicious nature has only been discovered now. The reason for that is surely that its developer only stole a small percentage per swap. Smartly done, but still dangerous for end-users. The developer can update the extension any day and introduce new code that takes a bigger percentage or all of the crypto and/or infects the host computers with malware that can cause more problems.

If these are hidden fees charged by the developer without disclosing them in the extension details, even if the fees are small this is undoubtedly suspicious and clearly fraudulent behavior. I agree with you that an unethical developer may take a larger percentage of the extension users' fees without their knowledge, or even steal all the money.

It is best to avoid these extensions that act as intermediaries between you and the swap platform and conduct your swaps directly without using these extensions. There are many malicious extensions that we should avoid, which may not be open source and may entice you to use them based on the features they may provide to their users, while you have no idea how they handle your privacy and the security of your assets.