A new malicious browser extension called “Bull Checker” is reportedly targeting Solana users on Reddit by masquerading as a coin tracker.
This extension evades detection systems and has emptied Solana users’ wallets.
Targeted Solana Users
Last week, Jupiter’s pseudonymous founder Meow reported that a few Solana DeFi users had experienced unauthorized token losses. Through extensive investigation with partners, they traced the issue back to “Bull Checker,” who was targeting users on various Solana-related subreddits.
The extension allowed users to interact with decentralized applications (dApps) normally, but it secretly transferred tokens to unauthorized wallets once the transaction was complete. Jupiter’s founder stressed that no vulnerabilities were found in the dApps or wallets themselves.
They urged users to remove the “Bull Checker” extension or any similar extension with broad permissions that they cannot trust immediately.
Bull Checker is designed as a read-only extension to display coin holders. Ideally, such an extension should not require permission to read or write data on all websites, which should have worried users. Despite this, several users have gone ahead and installed and used it.
Once installed, Bull Checker waits for a user to interact with a standard dApp on its official domain, then modifies the transaction before it is signed by the wallet. The modified transaction always appears “normal” in the simulation, masking its true intention to drain transactions.
While searching for the Chrome extension, the Jupiter founder also discovered that it was being promoted by an anonymous Reddit account, “Solana_OG.” This individual appeared to be targeting users looking to trade coins and was enticing them to download the extension.
A keen eye for warning signs
Meow issued a stern warning to users, stressing the importance of skepticism when encountering recommendations on Reddit or other media platforms, regardless of the number of upvotes or positive comments they receive.
The founder highlighted the dangers of “astroturfing and social engineering,” where malicious actors can manipulate public perception to spread harmful tools like the “Bull Checker” extension. He went on to say that extensions that require broad permissions, such as the ability to read and modify all website data, should be treated with extreme caution.
“While we have identified one malicious extension, there may be others. There have been other reported data leaks, but we have not been able to locate them. If you suspect an extension contains malware, especially if it has both read and modify permissions, uninstall it immediately.”
Binance Free $600 (CryptoPotato Exclusive): Use this link to create a new account and receive an exclusive $600 welcome offer on Binance (full details).
LIMITED OFFER 2024 on BYDFi Exchange: Up to $2,888 Welcome Reward, Use this link to register and open a position of 100 USDT-M for free!
