A new malicious browser extension called the “Bull Checker” is reportedly targeting Solana users on Reddit by masquerading as a meme coin tracker.
This extension evades detection systems and has drained Solana users’ wallets.
Solana Users Targeted
In the past week, Jupiter’s pseudonymous founder, Meow, reported that a few Solana DeFi users experienced unauthorized token drains. Through a thorough investigation with partners, they traced the issue to “Bull Checker,” which had been targeting users on various Solana-related subreddits.
This extension allowed users to interact normally with decentralized apps (dApps), but it secretly transferred tokens to unauthorized wallets upon transaction completion. Jupiter’s founder stressed that no vulnerabilities were found in the dApps or wallets themselves.
They urged users to remove the “Bull Checker” extension or any similar ones with extensive permissions that they cannot trust immediately.
Bull Checker is designed as a read-only extension intended to display meme coin holders. Ideally, such an extension should not require permission to read or write data on all websites, which should have raised concerns for users. Despite this, several users proceeded to install and use it.
Once installed, Bull Checker waits until a user interacts with a standard dApp on its official domain, then alters the transaction before it is signed by the wallet. The modified transaction still appears “normal” in the simulation, concealing its true intent as a drainer.
While researching the Chrome extension, Jupiter’s founder also discovered that it was promoted by an anonymous Reddit account, “Solana_OG.” This individual seemed to target users looking to trade meme coins and lured them to download the extension.
Keen Eye for Red Flags
Meow issued a strong warning to users, stressing the importance of skepticism when encountering recommendations on Reddit or other media platforms, regardless of how many upvotes or positive comments they receive.
The founder highlighted the dangers of “astroturfing and social engineering,” where bad actors can manipulate public perception to spread harmful tools like the “Bull Checker” extension. They further went on to add that extensions that request extensive permissions, such as the ability to read and modify all website data, should be treated with extreme caution.
“While we have identified one malicious extension, there might still be other malicious extensions out there. There have been reports of other drains that we have not been able to track down. If you suspect an extension contains malware, particularly if they have both “read” and “change” permissions, uninstall it immediately.”