Solana Memecoin Traders are at Risk of Getting Their Wallet Drain Via Bull Checker Extension
Solana users complained about losing funds to a chrome extension. The Bull checker extension looks legit but is a tool for hackers
Over the past week, reports surfaced of a small number of Solana DeFi users experiencing account drains. A group of researchers identified a malicious Chrome extension called “Bull Checker” as the source of the issue.
Disguised as a read-only tool for viewing memecoin holders, the actors behind the “Bull Checker” extension deceptively promoted it on several Solana-related subreddits. Users who installed the extension interacted with dApps as usual, with transaction simulations appearing normal.
However, the extension secretly altered transactions, potentially diverting user funds to another wallet upon completion.
This incident underscores the critical importance of exercising extreme caution when granting permission to browser extensions. “Bull Checker” had access to read and change data on all websites—an alarming red flag that should have alerted users. The extension’s supposed functionality, simply viewing memecoin holders, did not justify such extensive permissions.
Investigators emphasized that no vulnerabilities were found in any of the affected dApps or wallets. The drains were solely due to the malicious actions of the “Bull Checker” extension.
The investigation was a collaborative effort involving Siji from OffsideLabs, 0xSoju, and 0xYankee, who provided crucial technical analysis.
Bull Checker Attack Targeted Memecoin Traders
According to sources, memecoin traders became the target of an anonymous Reddit account, “Solana_OG,” which actively promoted “Bull Checker” to users interested in trading memecoins. The account effectively targeted a specific group vulnerable to scams.
The extension targeted users interacting with legitimate dApps on official domains. It silently modified transactions before they reached the wallet for signing, keeping simulations seemingly normal and undetected.
Notably, while simulations appeared legitimate, the malicious instructions were executed on-chain. The extension monitored the specific SOL account to determine when to execute these instructions, thus evading detection.
The latest discovery shows malicious actors’ ongoing attempt to compromise Solana. In its defense, a swift and well-executed patch averted a major security threat.
