Recently, a malicious Chrome Extension named “Bull Checker” has been targeting Solana DeFi users, resulting in the loss of their tokens. The decentralized trading platform, Jupiter Exchange, was the first to identify this extension, which allows users to have their tokens maliciously transferred to another wallet upon completing a transaction. Over the past week, Jupiter has received reports of several Solana users losing their tokens due to this extension.
After conducting a thorough investigation, Jupiter found that the Bull Checker extension initially appeared legitimate, allowing users to interact with decentralized applications (dApps) as usual. However, upon transaction completion, the extension would maliciously transfer the users’ tokens to another wallet without their consent. Despite appearing normal during the interaction with the dApps, the extension was able to modify transactions sent to the wallet to sign, resulting in token drainage.
The investigation revealed that the Bull Checker extension had the ability to read and change all data on the website. In the case of Raydium, an automated market maker (AMM) on the Solana blockchain, affected users also had the Bull Checker extension installed. Malicious instructions were added to regular transactions conducted on Jupiter and Raydium platforms, leading to the transfer of users’ tokens and authority to a malicious address, presenting a significant risk to users.
Jupiter highlighted that the Bull Checker extension was categorized as ‘read-only,’ enabling users to view the holders of memecoins. Despite being a major red flag, some users continued to install and use this extension. The extension was promoted by an anonymous Reddit account under the name “Solana_OG,” targeting individuals interested in trading memecoins. Jupiter advised users to exercise caution before installing any browser extension and provided safety measures to ensure the protection of their tokens and assets.
In conclusion, the Bull Checker Chrome Extension poses a serious threat to Solana DeFi users by maliciously transferring their tokens to unauthorized wallets. The extension has been deceiving users by appearing legitimate and normal during interactions with dApps but executing unauthorized transactions in the background. It is crucial for users to be cautious when installing browser extensions, especially those advertised anonymously or with questionable purposes. By following safety measures and staying vigilant, users can protect themselves from falling victim to such malicious activities in the cryptocurrency space.
