The article discusses a malicious Chrome extension called “Bull Checker” that has been targeting Solana DeFi users, resulting in their tokens being drained in the past week. Decentralized trading platform Jupiter Exchange first identified the extension, highlighting that it was stealing tokens from several Solana users. The extension allowed users to interact with decentralized applications (dApps) as usual, but had the capability of transferring tokens to another wallet maliciously upon completing a transaction. Jupiter conducted a detailed investigation into the extension after receiving reports of users losing their tokens.
The investigation revealed that after installing Bull Checker, it would wait for the user to interact with a dApp on the official domain. The extension would then modify the transaction sent to the wallet for signing. Despite the modification, the simulation result appeared to be normal, not indicating any malicious activity. Jupiter confirmed that there were no vulnerabilities within the wallets of dApps themselves. The extension had permission to read and change all data on the website, leading to users unknowingly transferring tokens and authority to a malicious address. Raydium, an automated market maker (AMM) on the Solana blockchain, reported affected users who had installed the extension.
Regarding the nature of the Bull Checker extension, Jupiter flagged it as a ‘read-only’ extension that allowed users to view memecoin holders. The platform emphasized that there should be no need for an extension such as this to read or write data on all websites, raising a major red flag. Despite this warning, several users continued to install and use Bull Checker, potentially putting their tokens at risk. The extension was also promoted by an anonymous Reddit account under the name “Solana_OG,” targeting individuals interested in trading memecoins. Jupiter provided safety measures for users to consider before installing similar extensions to avoid falling victim to such malicious activities.
In conclusion, the Chrome extension “Bull Checker” has been identified as a malicious tool targeting Solana DeFi users, leading to the draining of their tokens. Jupiter Exchange conducted an investigation after receiving reports of users losing their tokens, revealing that the extension could modify transactions and transfer tokens to a malicious address without the user’s knowledge. Despite warnings and red flags, some users continued to install and use the extension, putting their assets at risk. It is essential for users to practice caution and follow safety measures when installing browser extensions to avoid falling prey to similar fraudulent schemes in the future.
