Malicious ‘bull checker’ chrome extension found targeting Solana users

Decentralized exchange aggregator Jupiter says it has identified a new malicious browser extension. The extension has already drained the wallets of several Solana users and can even sneak past detectors.

In an Aug. 20 research post, pseudonymous Jupiter founder Meow said “Bull Checker” — a nefarious Google Chrome browser extension — had been targeting Solana users on Reddit, advertising itself as an extension to view all the holders of specific memecoins. 

“If you have this extension (or similar extensions with extensive permissions you cannot trust), please remove it immediately,” wrote Jupiter in an Aug. 19 post to X. 

Meow said the extension was able to pass Solana simulation checks and “appear normal” but was actually a drainer designed to steal funds from users’ wallets.

“After installing Bull Checker, it will wait till a user interacts with a regular DApp on the official domain, before modifying the transaction sent to the wallet to sign. After modification, the simulation result will still be ‘normal’ and not appear to be a drainer,” explained Meow.

Meow said the Bull Checker extension asked users to accept permissions to “read and write” data, adding that any legitimate wallet-checking extension should only ever ask for ‘read-only” permissions. 

“This should have been a major red flag for users, but apparently, several users continued to install and use the extension,” he said. 

“Users with this extension would interact with the DApps as per normal, have the simulation show up as normal, but have the possibility of their tokens being maliciously transferred to another wallet upon transaction completion,” he added. 

Related: Solana ETF ‘still in play’ despite Cboe filing removal — VanEck exec

One of the users advertising the malicious extension on Reddit said they’d used it to make $3,000 in the last week without providing any further specifics. 

Jupiter reassured users that no vulnerabilities were discovered in any of the major decentralized applications (DApps) or wallets on the Solana network during their investigation. 

The discovery of the “Bull Checker” extension comes less than two weeks after Solana-based decentralized futures exchange Cypher Protocol halted its smart contract system in the wake of an estimated $1 million exploit.

Meanwhile, on July 8, Matthias Mende, co-founder of the Dubai Blockchain Center, told Cointelegraph he had fallen victim to an exploit where a hacker managed to steal over $100,000 in Solana (SOL) from his Phantom Wallet following his participation in a memecoin pre-sale event. 

Mende said he still doesn’t know how the hack occurred. 

Magazine: 5 dangers to beware when apeing into Solana memecoins