Olivia
Online
SectorH (SOLD OUT)
@SectorHSecurity
A series of NFT collections!
A collaboration of security professionals building security tools for #solana
Discord:
https://sectorh.io
Joined March 2022
202 Following
618 Followers
1.5K Posts
Pinned Tweet
The world is changing and Agents are coming to help combat scammers.
This is a view of an investigation kicked off by an AI based agent on a social media account. In this example we are showing how it works with our main account.
#infosecurity #LLMs #aiagents
1/2
Use Solana? Don't forget to reclaim $SOL from closed Token/NFT accounts, etc... It's simple:
- visit @solincinerator
- connect Wallet
- click "Cleanup" tab
- confirm the burn
- get $SOL
Here is one my main wallets I will be getting back 5.8 SOL. Nothing major, but free $$
Pig Butchering Scam!
There are previous posts on an Asian lady pig butchering scam, but here is an updated version a friend shared with me. Be safe!
This is similar to the previous romance scam, but this example the lady was met in a dating app.
1/6
Identification Of Malicious Extension
Over the last week, we received reports that a small number of users using Solana DeFi got drained.
After extensive investigation, we have identified a malicious Chrome extension called “Bull Checker” that had targeted users on several Solana-related subreddits.
Users with this extension would interact with the dApps as per normal, have the simulation show up as normal, but have the possibility of their tokens being maliciously transferred to another wallet upon transaction completion.
If you have this extension (or similar extensions with extensive permissions you cannot trust), please remove it immediately.
Note that there is no vulnerability found in any of the dapps or wallets.
A report with all the key technical details, including why the simulation looked normal, is available at:
https://t.co/u5mfmRbJMz
For the report, we collaborated with @0xslipper from @Offside_Labs who was extremely helpful for much of the technical analysis.
Much thanks to @blowfishxyz, @RaydiumProtocol and @phantom who also reviewed this post too.
Example Transactions
Here are 2 examples of transactions that have interacted with the malicious program
5UMucMksJweA1AtgyxrK8DJeBXr3DQGEGRs5Kkq2pZjr
https://t.co/gGodMZNuvK
https://t.co/hvziyniTuQ
In both cases, malicious instructions were added to regular Jupiter and Raydium instructions, and the resulting transaction was signed by the user as per normal, but had their tokens and authority transferred to the malicious address.
The Suspected Extension: Bull Checker
Upon further investigation of several affected users who have been drained by the same program, we have identified an extension called “Bull Checker”, which has the permissions to read and change all the data on the website, as a potential cause.
Raydium has confirmed that their affected user has the same extension installed.
Bull Checker is supposed to be a read-only extension that allows you to view the holders of memecoins. There should be no need for an extension like this to read or write data on all websites.
This should have been a major red flag for users, but apparently several users continued to install and use the extension.
After installing Bull Checker, it will wait till a user interacts with a regular dApp on the official domain, before modifying the transaction sent to the wallet to sign. After modification, the simulation result will still be “normal” and not appear to be a drainer.
Technical Analysis
For a full technical analysis, including why the simulation check looked normal, how the drainer tx worked, and what the extension code did, please refer to the jupresearch post here:
https://t.co/u5mfmRbJMz
Targeting Memecoin Traders
In addition to the above information, while researching “Bull Checker” we discovered that it was publicised by an anonymous Reddit account, “Solana_OG”. This person appeared to target users looking to trade memecoins, and lured them to download the extension.
Links:
https://t.co/WuhFWj5gdH
https://t.co/j5Du0YRi4L
Key Safety Habits
While we have identified one malicious extension, there might still be other malicious extensions out there.
1. If you suspect an extension contains malware, particularly if they have both “read” and “change” permissions, uninstall it immediately.
2. Do not trust something just because someone mentioned it on Reddit or other media and it has many upvotes. Astroturfing and social engineering for the purpose of scamming are very real.
3. Extensions that request for extensive permissions are highly suspicious. An extension like Bull Checker should not need to read and modify all your website data. You should have an extremely high degree of confidence in an extension before you start using it.
4. In addition, Blowfish has released a new guard instruction feature called SafeGuard that prevents all simulation spoofing attacks. It’s currently being adopted by multiple Solana wallets and will likely be useful in prevent such future attacks.
Conclusion
Stay safe out there, and don’t install extensions that can read/write data unless you are really sure.
Many thanks to Siji from Offside Labs, Blowfish, Raydium and Phantom for assisting in this investigation.
Be aware of the malicious drainer extension. Thanks to @JupiterExchange to posting the details.
https://t.co/WXMtBGUWYW
Secrets are within.
Share your latest scams and it may feel rewarding.
@SOLcheckmate Thank you for reporting. Hit us up with a clean wallet when you have a minute.
Watching the AI Agent as it takes us through its thought process and continues to expand the investigation.
The tooling is here. Soon it will be in our users hands.
2/2
The world is changing and Agents are coming to help combat scammers.
This is a view of an investigation kicked off by an AI based agent on a social media account. In this example we are showing how it works with our main account.
#infosecurity #LLMs #aiagents
1/2
@HackersAgents Is it NFT Season yet ?
@Tukytuky_ @solflare_wallet @MonkeDAO @EYEKONNFT @SharkyFi @GalacticGeckoSG @MagicEden @DegenApeAcademy @KeystoneWallet @slapcitygame @SolanaSensei Solana has some security minded people to improve the system.
@Tree_of_Alpha @doomxbt Stay safe everyone and make sure you are using trusted extensions.
Sometimes these extensions act different behind different networks too. Meaning they can target when to be active and not active sometimes.
Good write up here. https://t.co/xqwuZxwunS
🚀 Share your top AI and blockchain security tips using #AISecurityTip for a chance to be featured and win a prize!
🏆 Best tips will be highlighted in our upcoming posts. #SolanaSecurity
@Rlc4rdoMercy @tonbegus17 @FahrezaHarry Sent you a DM.
Its another SectorH Saturday #Giveaway
Get your warrior on!
1. Retweet
2. Tag 2 friends
Monday we will pick a winner for this warrior.
Its Saturday.. Send those scams to sectorh.sol
Inferno Drainer is a widely used piece of JavaScript malware in web3 phishing campaigns. In this article, I explore some de-obfuscation and debugging techniques to help understand its functionality.
https://t.co/angXViQJQ9
STACKIN’ BILLS💸 by @Trust_Labs_ 🫡
@DrSolanaNFT
@ItzBeenLos
@TheChefBoyRDave
@penyotixNFT
@CryptoZod3
@theblap_sol
MAX VOLUME⚡️
Dont miss the epic ending🔥
RT IF YOU VIBIN’ 😎💯
🚩 Beware of Scammers 🚩
They're getting a bit more sophisticated with the @Calendly link scams. If you open the link and engage this could result in more then just loss of crypto funds.
If you get DMs like this make sure to report them too - do your part to clean up our space. 🙏
@MagicEden good stuff at NYC NFT.
Last Seen Users on Sotwe
mas Raka (pijat Samarinda khusus wanita)
Seen from Singapore
Furry_Desirer 
Seen from United States
Erdem Asde
Seen from Turkey
🔞 Jaybaesun 🌞
Seen from Netherlands
ابو مشعل
Seen from United States
Hasan🇧🇩🥵
Seen from India
Sahibe Ceylan Adana
Seen from Turkey
fofa
Seen from United States
GudangTobrut
Seen from Oman
شيماء
Seen from Algeria
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.4M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers