A new malicious browser extension called “Bull Checker” targets Solana users on Reddit by masquerading as a meme coin tracker.
This extension evades detection systems and has drained the wallets of Solana users.
Targeted Solana users
Last week, Jupiter founder pseudonym Meow reported that some Solana DeFi users experienced unauthorized token drains. Through extensive research with partners, they traced the issue back to “Bull Checker,” which had targeted users on several Solana-related subreddits.
This extension allowed users to interact normally with decentralized applications (dApps), but secretly transferred tokens to unauthorized wallets after the transaction was completed. Jupiter’s founder emphasized that no vulnerabilities were found in dApps or wallets.
They urged users to remove the “Bull Checker” extension or any similar extension with extensive permissions that they cannot immediately trust.
Bull Checker is designed as a read-only extension meant to display meme coin holders. Ideally, this extension should not require permission to read or write data on all websites, which should have raised concerns for users. Despite this, several users proceeded to install and use it.
Once installed, Bull Checker waits until a user interacts with a standard dApp on its official domain, then modifies the transaction before signing it with the wallet. The modified transaction still looks “normal” in the simulation, hiding its true intent as a drain.
While researching the Chrome extension, Jupiter’s founder also discovered that it was promoted by an anonymous Reddit account, “Solana_OG.” This individual appeared to target users looking to exchange meme coins and lured them into downloading the extension.
Keep an eye out for red flags
Meow issued a strong warning to users, stressing the importance of skepticism when encountering recommendations on Reddit or other media platforms, regardless of how many upvotes or positive comments they receive.
The founder highlighted the dangers of “astroturfing and social engineering,” where bad actors can manipulate public perception to spread harmful tools like the “Bull Checker” extension. They also added that extensions that ask for extensive permissions, such as the ability to read and modify all website data, should be treated with extreme caution.
“Although we have identified one malicious extension, there could still be other malicious extensions. There have been reports of other drains that we have not been able to locate. If you suspect an extension contains malware, especially if they have both “read” permissions ” as in “change”, uninstall it immediately.
SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).
2024 LIMITED OFFER on BYDFi Exchange – Up to $2888 Welcome Reward, Use this link to register and open a 100 USDT-M position for free!