Bull Checker Extension Drains Solana Wallets, Targets Users

Bull Checker Extension Drains Solana Wallets, Targets Users

In Summary

  • A malicious Chrome extension called “Bull Checker” has been targeting Solana DeFi users
  • The extension steals tokens by modifying transactions before they are signed
  • The extension was promoted on social media as a meme coin tracker
  • Users are urged to uninstall the extension and be cautious of other similar threats


New York, Wednesday, August 21, 2024- A malicious Chrome extension labeled “Bull Checker” has been targeting Solana decentralized finance (DeFi) users, draining their wallets by exploiting a seemingly legitimate interface.

The issue was first identified by Jupiter Exchange on August 19, 2024, following reports from affected users.

The extension, disguised as a meme coin tracker, was found to be stealing tokens from Solana users who interacted with decentralized applications (dApps).

Jupiter’s founder, known as Meow, revealed that the extension had been promoted on Solana-related social media platform by an anonymous account named “Solana_OG,” which targeted users interested in trading meme coins.

The “Bull Checker” extension allows users to interact normally with dApps, but secretly modifies transactions before they are signed by the wallet.

These modifications divert tokens to unauthorized wallets, while the transaction simulation appears normal to the user. This deceptive method enabled the extension to evade detection by standard security measures.

Despite its read-only design, the extension required permissions to read and write data on all websites, a significant red flag that many users overlooked. Once installed, the extension would wait for the user to interact with a dApp, alter the transaction, and drain the user’s tokens.

Jupiter Exchange’s investigation confirmed that there were no vulnerabilities within the dApps or wallets themselves. However, the presence of the extension on users’ browsers was sufficient to compromise their security.

Meow has urged users to uninstall the “Bull Checker” extension immediately and exercise caution with any browser extensions that request extensive permissions.

He warned that while this malicious extension has been identified, other similar threats may still exist. Users are advised to treat any extensions with both “read” and “change” permissions with extreme skepticism.

The incident underscores the ongoing risks associated with decentralized finance and the need for vigilant security practices among cryptocurrency users.

Jupiter’s Post on X can be reached here.

Protected by Copyscape