Malicious Chrome Extension Diverts Solana in Raydium Swaps: Supply Chain Breach 2024
Executive Summary
In May 2024, researchers identified a malicious Chrome extension named 'Crypto Copilot' that was surreptitiously injecting unauthorized Solana (SOL) transfer instructions during Raydium swap transactions, redirecting user assets to an attacker-controlled wallet. Initially published on the Chrome Web Store by a developer under the alias 'sjclark76,' the extension posed as a crypto utility tool but covertly modified transaction data to exfiltrate funds without user knowledge. The breach highlighted the growing risk of supply-chain malware within browser ecosystems and exposed users to direct financial theft via manipulated decentralized finance (DeFi) operations.
This incident exemplifies a broader trend of attackers leveraging browser extensions to exploit DeFi and cryptocurrency users at scale. With the proliferation of novel supply-chain vectors and the rise of open-source and web-based crypto tools, organizations and individuals must exercise heightened due diligence and implement robust extension vetting and monitoring practices.
Why This Matters Now
Browser extensions continue to operate as a critical blind spot for both organizations and end-users, enabling stealthy supply-chain attacks that can bypass traditional endpoint security. The infiltration of a malicious extension into a legitimate marketplace underscores the urgency for proactive vetting, stronger application controls, and enhanced user education—especially as threat actors increasingly target growing crypto economies and web-based wallets.
Attack Path Analysis
The attacker gained initial access through a malicious Chrome extension published to the web store under false pretenses. Once installed, the extension leveraged browser permissions to escalate privileges, injecting code into swap transactions. Lateral movement occurred as the attacker manipulated browser workflows and accessed connected Solana wallets during Raydium swaps. The extension established command and control by communicating with attacker-controlled infrastructure to coordinate fraud. It exfiltrated assets by inserting hidden Solana transfer instructions that funneled funds to wallets under attacker control. The impact was direct financial loss for end users, with covert theft and potential difficulty in attribution and recovery.
Kill Chain Progression
Initial Compromise
Description
The user was tricked into installing a malicious Chrome extension (Crypto Copilot) from the official web store, leading to compromise of their browser environment.
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Supply Chain
Compromise Client Software Binary
Browser Extensions
Phishing: Spearphishing Attachment
System Script Proxy Execution
Data Obfuscation
Exfiltration Over C2 Channel
Container Administration Command
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Application Security for Public-Facing Applications
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 11(1)
NIS2 Directive – Supply Chain Security for Essential and Important Entities
Control ID: Article 21(2)(d)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Secure Third-Party Applications and Extensions
Control ID: Applications Pillar – Threat Protection
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Supply-chain attacks targeting crypto extensions expose financial institutions to wallet compromise, fund theft, and regulatory violations under compliance frameworks requiring encrypted traffic protection.
Computer Software/Engineering
Chrome extension supply-chain compromise demonstrates critical vulnerability in browser-based applications, requiring enhanced segmentation policies and threat detection for development environments and user systems.
Investment Banking/Venture
Malicious crypto extensions inject hidden transfer fees, directly targeting investment firms' cryptocurrency trading operations and exposing client funds to unauthorized wallet transfers.
Capital Markets/Hedge Fund/Private Equity
Stealthy Solana transaction injection attacks compromise trading integrity, requiring enhanced egress security policies and anomaly detection to protect cryptocurrency investment operations and client assets.
Sources
- Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swapshttps://thehackernews.com/2025/11/chrome-extension-caught-injecting.htmlVerified
- Malicious Chrome Extension Silently Steal and Injects Hidden SOL Fees Into Solana Swapshttps://www.cryptika.com/malicious-chrome-extension-silently-steal-and-injects-hidden-sol-fees-into-solana-swaps/Verified
- Chrome extension skims crypto with every tradehttps://cybernews.com/security/malicious-chrome-extension-skims-crypto-with-every-trade/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework controls like zero trust segmentation, egress filtering, anomaly detection, and visibility can significantly reduce the success and impact of supply chain attacks by restricting malicious egress, detecting behavioral anomalies, and isolating workload communications—even when the initial compromise happens at the endpoint or browser layer.
Control: Multicloud Visibility & Control
Mitigation: Improved centralized monitoring would highlight suspicious extension behaviors and policy deviations.
Control: Zero Trust Segmentation
Mitigation: Least privilege policies constrain the extension's access to internal workloads and APIs, reducing further exploitation.
Control: East-West Traffic Security
Mitigation: Internal segmentation blocks unauthorized service-to-service or workload-to-workload traffic resulting from the breach.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Outbound C2 channels are identified and blocked using known malicious indicators and advanced threat patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound egress filtering flags or stops suspicious cryptocurrency transactions to unapproved destinations.
Anomaly detection tools alert on unusual transaction volume or new wallet interaction patterns.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Trading
- Financial Transactions
Estimated downtime: N/A
Estimated loss: $5,000
The malicious extension exfiltrates users' connected wallet public keys to an attacker-controlled server, leading to potential privacy violations and unauthorized access to sensitive financial information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce egress security controls and outbound filtering to detect and block malicious browser extension traffic.
- • Deploy multicloud visibility solutions to rapidly identify anomalous application behaviors and risky extensions.
- • Use zero trust segmentation and least privilege policies to prevent unauthorized API and workload access from compromised endpoints.
- • Implement threat detection and continuous monitoring for unusual wallet transactions and external communications.
- • Regularly review and restrict permissions for browser extensions and cloud workloads to minimize supply chain exposure.
