Solana-based Jupiter alerts of malicious Chrome extension draining wallets

Jupiter exchange has warned about a malicious Chrome extension called “Bull Checker” that it says is targeting Solana users.

The exchange’s warning comes after Solana (SOL) decentralized finance users complained that their crypto wallets were being emptied.

In a post published on X on August 19, the Jupiter (JUP) team said that they conducted extensive investigations into the complaints and identified the malicious browser extension.

Identifying Malicious Extensions
Last week, we received reports that a small number of users using Solana DeFi had their accounts deleted.

After extensive research, we discovered a malicious Chrome extension called “Bull Checker” that was targeting users on multiple websites. picture.twitter.com/pubayfmD9h

— Jupiter 🪐 (@JupiterExchange) August 19, 2024

According to the team’s post, Bull Checker targeted members of various Solana subreddits on the social platform Reddit. The team notes that while the extension allowed users to interact with decentralized applications on Solana as normal, in a few cases where users interacted with dapps, it added malicious instructions to a transaction that transferred users’ tokens to a different address.

Bull Checker requires permission to read and modify all data on the website upon installation. The Jupiter team said this requirement was unnecessary for a read-only extension that allows users to view meme coin holders.

This should have been a huge warning sign for users, but it seems many users continued to install and use the plugin.

Meow targets Chrome extension Solana users, promoted by Reddit founder Jupiter Exchange

The extension was allegedly introduced by an anonymous Reddit user using the alias “Solana_OG.” This user targeted members of different Solana subreddits who were looking to trade Solana meme coins and encouraged them to download the extension.

In one of his posts on Reddit, Solana_OG claimed that he earned $3,000 in a week using the extension.

By press time, the extension appeared to have been removed from the Chrome Web Store, with a notification on the link that read, “This item is not available.” Still, the Jupiter exchange team advised users to be wary of similar malicious extensions. The team asked members of the crypto community to be wary of extensions that ask for “read” and “modify” permissions.

Jupiter also warned users to be wary of all suggestions and popular tools, as scammers may use social engineering or astroturfing, the misleading practice of disguising a coordinated online campaign as spontaneous public feedback to gain the trust of potential victims. The project assured its users that it found no vulnerabilities in any of the major dApps or wallets on Solana during its research.