A malicious Chrome extension named “Bull Checker” has been draining tokens from Solana DeFi users over the past week.
The browser extension was first identified by the decentralized trading platform Jupiter Exchange, which flagged it for stealing tokens from several Solana users.
Identification Of Malicious Extension
— Jupiter 🪐 (@JupiterExchange) August 19, 2024
Over the last week, we received reports that a small number of users using Solana DeFi got drained.
After extensive investigation, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several… pic.twitter.com/pubayfmD9h
Jupiter launched a thorough investigation after receiving reports of users losing their tokens. According to their findings, published on Tuesday, “Bull Checker” initially appeared legitimate, allowing users to interact with decentralized applications (dApps) without suspicion.
Jupiter discovered a malicious Chrome extension called "Bull Checker" that could allow users with this extension to have their tokens maliciously transferred to another wallet when a transaction is completed. In the past week, the team received reports that a small number of…
— Wu Blockchain (@WuBlockchain) August 20, 2024
“Users with this extension would interact with dApps as usual, with transaction simulations appearing normal, but their tokens could be maliciously transferred to another wallet upon transaction completion,” Jupiter explained.
Once the extension was installed, it would wait for the user to engage with a dApp on an official domain, then modify the transaction sent to the wallet for signing. The simulation result would misleadingly appear “normal,” concealing the malicious activity.
Jupiter emphasized that there is no vulnerability within the wallets or dApps themselves. The investigation revealed that “Bull Checker” had permissions to read and alter all data on the websites users visited.
Raydium, an automated market maker (AMM) on the Solana blockchain, also reported that its affected users had installed the same extension. According to Jupiter, “Malicious instructions were added to regular Jupiter and Raydium transactions, and users unknowingly signed off, transferring their tokens and authority to a malicious address.”
Jupiter further warned that “Bull Checker” was a ‘read-only’ extension, marketed to users as a tool to “view the holders of memecoins.” They noted, “There should be no need for an extension like this to read or write data on all websites.”
Despite this significant red flag, many users continued to install and use “Bull Checker.” The extension was promoted by an anonymous Reddit account named “Solana_OG,” specifically targeting those interested in trading memecoins and luring them to download the extension.
Jupiter also provided safety measures that users should consider before installing such extensions.