Solana users at risk as malicious Google Chrome extension drains funds

By:
Edited by:
on  Aug 20, 2024
Listen
3 min read
  • Jupiter warns of malicious extension stealing funds by altering Solana transactions.
  • The extension has the ability to evade Solana's transaction simulation checks.
  • Jupiter urges users to uninstall any suspicious extensions.

Follow Invezz on Telegram, Twitter, and Google News for instant updates >

Jupiter, a decentralised exchange on Solana, has issued a warning about a malicious browser extension targeting Solana users using Google Chrome.

Are you looking for signals & alerts from pro-traders? Sign-up to Invezz Signals™ for FREE. Takes 2 mins.

According to a detailed analysis by the platform’s founder, going by the moniker Meow, the browser extension has been designed to drain users’ funds and can even bypass Solana’s simulation checks.

Solana users at risk

Copy link to section

Dubbed “Bull checker”, the extension was being promoted on the social media platform Reddit across many of its Solana-related forums. It advertised itself as a tool that allows users to view all holders of a particular memecoin.

In reality, the extension, which appears normal, could maliciously transfer user funds to a different wallet by intercepting and modifying the transaction when a user interacts with a decentralised application (Dapp). 

The extension was also designed to evade detection by transaction simulation tools.

Specifically, the extension hijacks the wallet’s signTransaction method and forwards it to a remote server controlled by the attacker.

Here, the transaction is modified to include instructions that drain funds from the user’s wallet and transfers authority to the attacker.

When a user finally signs the transaction, the altered instructions are executed, which gives the attacker permission to transfer all tokens from the victim’s wallet.

Meow states that the extension asks for both read and write permission from users during the installation process, adding that this was a major “red flag”, as any extension claiming to do what Bull checker does would only require “read-only” permission. The founder added:

There have been reports of other drains that we have not been able to track down. If you suspect an extension contains malware, particularly if they have both “read” and “change” permissions, uninstall it immediately.

According to the analysis, this extension affected only a “small number” of users, but further details were not disclosed. Meanwhile, Jupiter has urged users to uninstall any suspicious extensions that require similar permissions. It assured its community that no vulnerabilities were discovered within any of its dapps or wallets.

A recurring theme in crypto

Copy link to section

This isn’t the first incident in which a malicious browser extension targeted cryptocurrency users. 

For instance, users of crypto hardware wallet manufacturer Ledger were targeted by a fake extension disguised as the Ledger Live app, which wallet owners use to approve transactions. The extension would require users to input their seed phrases during installation, ultimately using it to drain funds.

Earlier this year, a malicious extension was reportedly mimicking the Aggr app, which offers an array of tools for professional traders. The fake extension was designed to collect website cookies from a victim’s web browsers and use them to reconstruct passwords and recovery keys, specifically targeting Binance accounts.

Attackers in the cryptocurrency space have continued to evolve, using more sophisticated tactics designed to trick victims. As previously reported by Invezz, crypto scammers were spotted using fake Zoom links to deploy malware on Windows computers, resulting in the loss of over $300,000 in funds.