How to Spot the Bull Checker Scam Threatening Solana Users

• A compromised browser extension poses a significant threat to crypto users.
• Several Solana users have fallen victim to the Bull Checker extension scam.
• Users are advised to employ key safety techniques.

Malicious actors in the crypto industry have evolved over the past years, becoming increasingly subtle and sophisticated in their bid to exploit unsuspecting victims. What was once limited to obvious phishing attempts and scams has now shifted towards stealthy infiltration, often facilitated through compromised applications that appear harmless when, in fact, they are dangerous.

The latest threat, a malicious Chrome browser extension, has significantly damaged several users, prompting the urgent need for vigilance and safety measures.

What Is the Malicious Chrome Extension?

Threat actors have been using browser extensions in recent months to gain unauthorized access to users’ funds. According to recently published research by the decentralized trading platform Jupiter, a Chrome extension called “Bull Checker” is the latest software used to infiltrate and exploit users.

Originally designed as a tool that allows users to track memecoin holders, the extension has been weaponized to gain permissions beyond necessary, allowing it to read and modify website data.

The manipulation enables threat actors to exploit unsuspecting users by accessing their data, making unauthorized changes, and ultimately redirecting their funds.

How the Bull Checker Chrome Extension Scam Works

Upon installing Bull Checker, the extension lurks until the user interacts with a decentralized application (dApp) on the Solana blockchain. When this occurs, the extension hijacks and injects malicious instructions into the process, even without any vulnerability or weakness on the target account. 

However, the transaction simulation will appear normal. This prevents any alert of manipulation while the user’s tokens are rerouted to the attacker’s wallet.

Source: JupiterExchange

For example, in the transactions highlighted in the report, two users of Jupiter and Raydium separately interacted with their dApps as usual, only to have their funds drained upon completing the transactions. In each instance, the extension tricked users into approving a seemingly legitimate transaction, resulting in the theft of their assets.

Who the Malicious Bull Checker Extension Targets

Some Solana DeFi users have reported drains on their accounts over the past week. Jupiter Exchange stated that the primary targets of the Bull Checker extension are crypto traders , specifically those involved in memecoin trading.

An anonymous Reddit user under the alias “Solana_OG” also took to a group with the extension’s promotion, suggesting a goal to trick traders into downloading the extension under the guise of it being harmless.

What to Do to Stay Safe

To avoid falling victim to the Bull Checker Extension scam, users must implement the following cautionary measures:

• Uninstall Suspicious Extensions: Users who have installed the Bull Checker Chrome browser should immediately remove the extension. Users must also uninstall any other extensions with excessive permissions, particularly those that can read and modify all website data.
• Monitor Browser Extension Permissions: Extensions like Bull Checker should not need access to modify data on every website. Users must scrutinize the permissions requested by any extension before use.
• Exercise Caution with Social Media Recommendations: The tactics involved in the promotion of these compromised extensions often capitalize on trust within the community, where users often rely on peer recommendations. Do not blindly trust an extension simply because of its community support, and do your own research before use.
• Utilize Trusted Security Features: Users should adopt safety-focused wallets and applications to prevent unauthorized access by malicious actors. Jupiter Exchange highlighted that Blowfish has recently introduced a SafeGuard instruction feature to counter simulation spoofing attacks. Solana wallet users are encouraged to use wallets supporting this new added protection feature.

On the Flipside

• The total amount lost to the Bull Checker extension scam is unspecified.
• In June 2024, a Chinese Binance user reported a $1 million hack facilitated by a malicious Chrome extension.
• The second quarter of 2024 saw losses totaling $573 million from global crypto hacks and scams. 

Why This Matters

The malicious Bull Checker Chrome extension is another reminder of the evolving threat tactics used by malicious actors to exploit the crypto industry. As these threats become more subtle, understanding the risks of interacting with seemingly harmless extensions is crucial, and users must adopt safety measures to ensure protection.

Read this article for more about the Binance hack facilitated by a malicious browser extension: 
Are Your Crypto Extensions Safe? $1M Binance Hack Reveals Risks

Discover how Australia is bolstering the fight against crypto cybercrime:
Australia Escalates Crypto Scam Crackdown