A malicious Google Chrome browser extension was identified and removed after it was discovered covertly injecting code to siphon funds from users of the Raydium decentralized exchange. The extension operated by adding a hidden transfer fee to cryptocurrency swaps on the Solana blockchain, redirecting the stolen assets to an attacker’s wallet.

Security researchers found that the extension, sometimes masquerading as a tool named “Solana Swap Sniffer,” targeted users interacting with the Raydium platform. The malicious code was designed to intercept user-initiated transactions and modify them without the user’s consent or knowledge.

Mechanism of the Attack

The core function of the malicious extension was to inject a 0.25% transfer fee into the user’s swap transaction data. When a user executed a swap on Raydium, the extension would alter the transaction to include this additional fee. The fee was not displayed on the user interface, making it difficult for the victim to detect. The funds generated from this hidden fee were then automatically transferred to a wallet controlled by the attacker.

The code specifically monitored for activity on the raydium.io domain. Upon detecting a swap, it would execute its payload to manipulate the transaction details before the user approved it in their Solana wallet, effectively stealing a small percentage of every trade made by an infected user.

Discovery and Removal

The malicious activity was brought to light by cybersecurity analysts who investigated the extension’s behavior. Once the code’s function was confirmed and reported, action was taken to mitigate the threat. Following the reports, Google removed the offending extension from the Chrome Web Store to prevent further downloads and protect users from the scheme. This incident demonstrated a tangible security risk associated with browser extensions that interact with cryptocurrency platforms.

Source: https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html