Skip to content
- SlowMist warned that fake TronLink extensions are stealing TRON wallet access data.
- Attackers used remote wallet pages to collect keys, phrases, passwords, and files.
- TRON users were urged to verify extension IDs and move funds if keys were exposed.
Security firm SlowMist warned that TRON users are facing a phishing campaign built around fake browser wallet extensions. The firm said its MistEye system detected unusual extension behavior and signs that wallet data was being stolen remotely from users online.
According to SlowMist, the fake extension appeared on the Chrome Web Store as a Chrome MV3 version of TronLink. That structure helped it look like a normal wallet tool and avoid early detection.
Also Read: Trump Media Crashes $406M as Bitcoin Bet Turns Into Massive Disaster
Fake TRON Wallet Interface Steals User Credentials
Once installed, the extension connected to a remote interface that was a copy of the official TronLink wallet. Users were then asked to provide private keys, passphrases, passwords, or keystore files to a page hosted by attackers.
SlowMist stated that the data was immediately sent out via automated systems. The TRON campaign was focused on the data that was exposed and used by the organization for sensitive access that would enable an attacker to control the exposed crypto asset.
The attackers had encrypted the extension name with Unicode characters and Cyrillic letters, the firm said. This helped the listing look more like a real TRON wallet and helped to lower the suspicion.
Attackers also took advantage of Chrome’s listing system to inherit its trust indicators, like ratings and install counts. SlowMist claimed that the extension was requesting only basic permissions, helping it to get past early tests.
The main attack started after users installed the extension. It loaded a remote iframe, which replaced the wallet interface, and switched between local and server to avoid review.
Fake TronLink Page Sends Wallet Data to Attackers
However, this design enabled attackers to modify the content of phishing without changing the extension. The entire attack sequence was more difficult to detect by standard scanners, SlowMist said.
The fake page was a close copy of the official TronLink interface. The users who trusted the page could enter mnemonic phrases, private keys, or keystore files directly to the attacker servers or Telegram bots.
The phishing page also disabled right-click, developer tools, and inspection functions. SlowMist said those restrictions were to stop analysis and to obscure the operation.
Moreover, the alert comes after an increase in malicious browser extensions targeting TRON wallet users. The same campaign has taken a toll on wallet applications like Trust Wallet with losses in millions of dollars, and previous “Extension Hollowing” attacks targeted trusted listings.
Security experts recommended users of TRON double-check extension IDs before installing tools. They also recommended consumers not to click on suspicious messages, delete unknown extensions, and transfer money if they think private keys might have been compromised.
Also Read: Lazarus Group Exploits LayerZero Labs’ Internal RPCs: A Deep Dive into the Post-Mortem
