Malicious Browser Extension Hijacks Solana Transactions

Jupiter Research has published the findings of an investigation into an incident in which some users of DeFi applications on the Solana platform lost their funds. The culprit behind the data breach was the malicious browser extension Bull Checker. The plugin targeted users actively participating in discussions on several subreddits related to Solana.

The Bull Checker extension was ostensibly developed as a tool for viewing meme coin holders and was supposed to perform only data-reading functions. However, in practice, the plugin gained access to all information on websites visited by users and could modify it. Users might not have noticed anything suspicious while interacting with decentralized applications (dApps), but after completing a transaction, tokens could be transferred to another wallet.

It is important to note that no vulnerabilities were found in any of the dApps or wallets. The issue lay solely in the operation of the malicious extension, which stealthily added additional commands to ordinary transactions, resulting in a loss of control over the tokens.

Specific transactions were identified where malicious instructions had been injected into standard operations on the Jupiter and Raydium platforms. The extension waited for the user to interact with a dApp on an official domain, after which it modified the transaction sent for signing in the wallet. Users signed these transactions, unaware that they included commands to transfer tokens to another address.

The extension targeted meme coin traders and was promoted on Reddit by an anonymous account named “Solana_OG,” which lured users into installing the malicious software.

Users are strongly advised to immediately uninstall the Bull Checker extension and any other extensions with suspiciously broad permissions. It is crucial to remember that any extension requesting access to read and modify data on all websites should raise serious concerns. Trust should not be placed in programs and extensions based solely on positive reviews on Reddit or other platforms.

Related Posts:

• Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
• PrimeXBT Adds Cardano, Chainlink, Solana, And Other Altcoins To Growing Lineup
• Malicious Chrome Extension Infects Over 100,000 Users
• Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users