Coinspeaker
Malicious Chrome Extension ‘Bull Checker’ Targets Solana Users
The malicious extension pretends to be a harmless read-only tool that allows users to check their cryptocurrencies. However, its main aim is to trick users into transferring their funds to another wallet. Jupiter stated:
“Users with this extension would interact with dApps as normal, with the simulation showing up as usual, but have the possibility of their tokens being maliciously transferred to another wallet upon transaction completion.”
The exchange revealed that the extension’s ability to pass Solana‘s simulation checks makes it particularly dangerous. It waits for users to interact with legitimate decentralized applications before modifying transactions. This modification isn’t detected during simulation, allowing the drainer to operate unnoticed.
According to Jupiter’s research, Bull Checker was promoted by a Reddit account with the username Solana_OG, targeting Solana meme coin traders. The account was tricking traders into downloading the extension to steal their assets.
It was revealed that the extension focuses more on installed wallets since it can read and change data on all websites. Jupiter noted that Bull Checker changes the wallet adapter’s signTransaction method with its own version, sending the unsigned transaction to a remote server and adding a call to a drainer program. Jupiter explained:
“This extension specifically targets installed wallets. Since it can read and change the data on all websites, it actively monitors apps containing the wallet adapter. It replaces the wallet adaptor’s signTransaction method with its own implementation, forwarding the unsigned transaction to a remote server and attaching a call to a drainer program. If the mutated transaction is signed by the user, the drainer program can transfer all tokens from the victim.”
Jupiter’s Advice for Crypto Users
Jupiter emphasized that Bull Checker, which was promoted on Reddit as a tool for viewing meme coin holders, should have no reason to read or write data, as it’s unnecessary for a simple wallet-checking tool. Jupiter noted:
“Bull Checker is supposed to be a read-only extension that allows you to view the holders of memecoins. There should be no need for an extension like this to read or write data on all websites. This should have been a major red flag for users, but apparently several users continued to install and use the extension.”
Jupiter warned crypto users to immediately remove Bull Checker or any similar extension with such extensive permissions. They noted that no vulnerabilities were found in major Solana DApps or wallets during their investigation.
Furthermore, Jupiter advised crypto users not to trust any tool based solely on social media hype, as people can be manipulative in achieving illicit goals. This incident follows recent security issues in the Solana ecosystem. In June, Dubai Blockchain Center co-founder Matthias Mende lost over $100,000 in Solana from his Phantom Wallet after participating in a meme coin pre-sale event.
Malicious Chrome Extension ‘Bull Checker’ Targets Solana Users
