SlowMist: TRON users beware of phishing attacks impersonating the TronLink extension

BlockBeats News, May 11 — The SlowMist team recently issued a warning, discovering a high-risk phishing incident targeting TRON wallet users. The attacker created a Chrome browser extension that impersonates the official TronLink wallet, using Unicode bidirectional control characters and visually similar Cyrillic letters to forge the extension name, thereby deceiving users.

The malicious extension’s name displayed in the Chrome Web Store closely resembles the legitimate one and leverages the high download count and positive reviews of the real extension, reducing the vigilance of ordinary users. The extension’s code is minimal, only responsible for loading a complete phishing page from a remote server, forming a “shell and core separation” attack chain, making it difficult for routine static code reviews to detect malicious activity.

The remotely loaded phishing page visually nearly identical to the real TronLink web wallet, specifically designed to trick users into entering seed phrases, private keys, Keystore files, and wallet passwords. Once submitted, these sensitive details are immediately sent to the attacker via a Telegram bot. Additionally, the page has built-in anti-debugging features, disabling right-click menus, developer tools, drag-and-drop actions, and printing. It also redirects based on the user’s geographic location and language settings (especially targeting Russian users) to evade automated security scans.

SlowMist recommends users immediately check and uninstall suspicious extensions from unknown sources, clear local browser storage data, and watch for abnormal network requests. If wallet information has been inadvertently leaked, users should immediately create a new wallet and transfer all assets to a secure address.