Solana Users and Memecoin Traders Suffer Drain Via Malicious Bull Checker
The "Bull Checker" extension, disguised as a read-only tool for viewing memecoin holders, was deceptively promoted on several Solana-related subreddits.
Over the past week, reports have emerged that a small number of Solana DeFi users experienced account drains. After a thorough investigation conducted in collaboration with its partners, blockchain researchers identified a malicious Chrome extension called “Bull Checker” as the culprit.
An example of such transactions that have interacted with the malicious program can be found at the following address: 5UMucMksJweA1AtgyxrK8DJeBXr3DQGEGRs5Kkq2pZjr.
The “Bull Checker” extension, disguised as a read-only tool for viewing memecoin holders, was deceptively promoted on several Solana-related subreddits. Users who installed this extension interacted with dApps seemingly normally, with simulations appearing as expected.
However, the extension silently modified transactions, potentially diverting user funds to another wallet upon transaction completion.
Crucially, this incident highlights the importance of exercising extreme caution when granting permissions to browser extensions. “Bull Checker” was granted access to read and change data on all websites, a blatant red flag that should have alerted users. The extension’s purported functionality, simply viewing memecoin holders, did not justify such extensive permissions.
According to the investigators, they emphasize that no vulnerabilities have been identified in any of the affected dApps or wallets. The drain resulted solely from the malicious actions of the “Bull Checker” extension.
The investigation involved a collaborative effort with Siji from OffsideLabs, 0xSoju, and 0xYankee, who provided valuable technical analysis.
Bull Checker Attack Targeted at Memecoin Traders
According to the source statement, Memecoin Traders have become the target of an anonymous Reddit account, “Solana_OG,” which actively promoted “Bull Checker” to users interested in trading memecoins. Thus, the account effectively targeted a specific group susceptible to scams.
However, the extension targeted users interacting with legitimate dApps on official domains. It silently modified transactions before they reached the wallet for signing, ensuring the simulations remained seemingly normal and undetected.
Notably, while simulations appeared legitimate, the malicious instructions were executed on-chain. The extension monitored the specific SOL account to determine when to execute the malicious instructions, thereby bypassing detection.
