Attackers used a fake TronLink extension with remote phishing tools to steal wallet credentials from TRON users.
Crypto wallet users are facing a new phishing threat after cybersecurity firm SlowMist uncovered a fake TronLink Chrome extension targeting TRON holders. Attackers used hidden spoofing tricks and a near-perfect wallet clone to steal sensitive credentials from victims. Researchers warn that the campaign uses advanced evasion methods, making detection far more difficult than typical crypto scams.
Fake TronLink Chrome Extension Steals Wallet Credentials
Cybersecurity firm SlowMist has uncovered a sophisticated phishing campaign targeting users of TronLink. Attackers reportedly distributed a fake Chrome extension designed to imitate the official TronLink wallet while quietly stealing sensitive wallet credentials.
🚨 Threat Intelligence | Analysis of a Fake TronLink Chrome Extension Phishing Campaign 🚨
SlowMist’s MistEye threat monitoring system recently detected a high-risk phishing campaign targeting #TRON wallet users. Attackers created a fake Chrome MV3 extension impersonating… pic.twitter.com/2ygOLsdTtw
— SlowMist (@SlowMist_Team) May 11, 2026
Researchers said the campaign used advanced obfuscation methods rarely seen in ordinary crypto scams. Instead of embedding malicious code directly inside the extension, operators relied on remote infrastructure and anti-analysis techniques to avoid detection. Findings came from SlowMist’s MistEye threat monitoring system.
According to the report, attackers created a counterfeit Chrome MV3 extension using Unicode bidirectional characters and Cyrillic homoglyphs to mimic the TronLink brand name. The fraudulent extension also inherited user statistics and positive reviews from the legitimate listing, making the fake version appear trustworthy to unsuspecting users.
SlowMist Urges Users to Remove Suspicious TronLink Chrome Extensions
Security analysts also found that the extension’s local files contained almost no malicious logic. Rather, the code loaded a remote phishing interface through an iframe. That setup reduced the chances of static scanners flagging the extension during inspection.
Once active, the phishing page copied the official TronLink web wallet interface. Victims were prompted to enter mnemonic phrases, private keys, keystore files, and passwords. The stolen data was then sent to attackers instantly via a Telegram bot channel.
SlowMist also identified several anti-forensics functions inside the phishing system. Features reportedly blocked right-click actions, disabled browser developer tools, restricted drag-and-drop activity, and prevented printing. Russian-language users were redirected elsewhere, likely to reduce exposure among local investigators.
Meanwhile, the security firm urged users to remove any suspicious or unknown Chrome extensions immediately, especially ones claiming to be TronLink. According to the report, traders who may have entered wallet credentials should create a new wallet and move funds to a fresh address as soon as possible. Keeping assets in a compromised wallet could lead to stolen funds.
