Recently, a malicious browser extension known as the “Bull Checker” has been causing havoc among Solana users on Reddit. This extension, disguised as a meme coin tracker, has successfully evaded detection systems and led to unauthorized token drains from users’ wallets.
Jupiter’s founder, Meow, uncovered the issue after several Solana DeFi users fell victim to unauthorized token transfers. After investigating with partners, they linked the problem to the “Bull Checker” extension, which was specifically targeting users on Solana-related subreddits. Surprisingly, the extension appeared harmless at first, allowing users to interact with decentralized apps normally. However, behind the scenes, it slyly transferred tokens to unauthorized wallets upon completing transactions.
Meow emphasized that the vulnerabilities were not within the dApps or wallets themselves but rather in the malicious extension. Users were advised to promptly remove the “Bull Checker” extension and any similar ones with suspicious permissions. Despite being labeled as a read-only extension for displaying meme coin holders, it required extensive permissions to read and write data on all websites, a red flag that users should have noticed.
Once installed, the “Bull Checker” extension laid dormant until a user interacted with a standard dApp on its official domain. It then tampered with the transaction before it was signed by the wallet, making the modified transaction appear authentic during the simulation. This deceptive tactic masked its true intent as a token drainer, duping unsuspecting users.
Further investigation revealed that the malicious extension was promoted by an anonymous Reddit account under the name “Solana_OG.” This individual specifically targeted users interested in trading meme coins, enticing them to download the harmful extension. Meow cautioned users to be vigilant and skeptical of recommendations on Reddit and other media platforms, regardless of their popularity or positive feedback.
This incident underscores the dangers of malicious browser extensions and the importance of exercising caution online. Users should be wary of extensions that request extensive permissions, especially those related to reading and modifying website data. While the “Bull Checker” extension has been identified and addressed, there may still be others lurking in the shadows, waiting to deceive unsuspecting users. Stay vigilant and prioritize your online security to avoid falling victim to similar threats.