Last week, there were reports of a few Solana decentralized finance (DeFi) users who unfortunately lost their funds.
According to cybersecurity experts from Jupiter Research, they have identified the source of the theft as a Chrome extension called “Bull Checker” after conducting a thorough investigation.
This extension specifically targeted users on Solana-related subreddits and secretly siphoned off their tokens without raising any alarms from the users' wallets.
The “Bull Checker” extension was advertised as a helpful instrument for monitoring memecoin holders. However, the developers had more evil motives hiding in the shadows.
Although it seemed trustworthy, this extension took advantage of its extensive permissions to access and modify data on all websites, including decentralized applications (dApps) that users engaged with.
Users experienced no issues when installing Bull Checker and conducting transactions on Solana dApps.
The extension provided accurate transaction simulations, giving users a false sense of security. After the transaction was finished, the extension secretly included harmful instructions that redirected the tokens to a hacker's wallet.
Bull Checker was created to fly under the radar and avoid arousing any suspicion.
During the transaction simulation phase, which usually detects malicious activity, the extension was smart enough to abort its attack if the user's balance was insufficient, effectively bypassing initial checks.
However, once the simulation was complete, the attacker bundled together several transactions and siphoned off funds.
In one example, a user lost 0.06 SOL without realizing it, when they unintentionally approved a transaction that gave the hacker control over their token authority.
Though it left a puzzle for many users as to what caused their crypto to be drained, the Jupiter Research team found an unexpected issue with the Bull Checker extension.
Originally designed to have read-only capabilities, it was discovered that the extension had the ability to both read and modify data on all websites.
It was able to monitor Solana wallets, intercept transactions, and manipulate them by sending unsigned transactions to a remote server.
The server would attach a malicious payload to the transaction, which would transform a legitimate transfer into a theft.
Shockingly, Bull Checker was even promoted on Reddit by some users, who specifically aimed at memecoin traders and persuaded them to install the harmful extension.