Photo Credit: Tima Miroshnichenko/Pexels

Decentralized trading platform Jupiter reported that some users of Solana DeFi got their assets drained due to a malicious Chrome extension called “Bull Checker.”

The crypto scammer targeted users on several Solana-resulted subreddits by falsely promoting the “Bull Checker.”

The trading platform worked with Offside Labs — a web3 security auditor — to create the report revealing the details of the latest cyber-attack. The investigations found that there was no vulnerability in any of the named dApps or wallets.

Jupiter claimed users with this extension interacted with the “dApps as per normal, have the simulation show up as normal.” However, the tokens are suspected of being maliciously transferred to another wallet once the transaction has been completed. 

Upon further investigation, the fraudulent Chrome extension had permission to read and change all the data on the website, which is considered as the potential cause. When adding the Bull Checker extension, it claimed that it can “read and change all your data on all websites.”

This allowed the malicious Chrome extension to gain access and modify the data on all websites. The Bull Checker waited for the user to interact with a regular dApp on the official domain, before modifying the transaction sent to the wallet to sign. Although the transactions passed through a simulation check, it was not identified to be malicious. 

‍

A Reddit account under the pseudonym of “Solana_OG” — the suspected bad actor — had promoted “Bull Checker,” specifically targeting memecoin traders.

Apart from Bull Checker, Jupiter warned users that there might still be other malicious extensions in the web space. One of the ways to notice a malicious extension is when the program asks for both “read” and “change” permissions.