Security firm SlowMist has warned TRON users about a phishing campaign targeting browser wallet extensions that steal crypto wallet data. The firm said it detected the activity through its MistEye monitoring system after spotting unusual extension behavior and signs of remote data theft.
As per an analysis by the firm, the fake extension appears on the Chrome Web Store as a Chrome MV3 (Manifest V3) extension version of TronLink, which helps it avoid early detection. After installation, it loads a remote interface that closely imitates the official wallet. Users then enter private keys, mnemonic phrases, and passwords into a page controlled by attackers. The information is then sent out immediately through automated systems.
Advanced multi-layer phishing chain targets wallet users
SlowMist said attackers used Unicode characters and Cyrillic letters to disguise the extension name, making it appear legitimate. They also exploited Chrome’s listing system to inherit trust signals such as high ratings and install counts. This reduced suspicion during installation. In addition, the extension requested only basic permissions, which helped it pass early security checks.
The real attack began after installation. The extension loaded a remote iframe that fully replaced the wallet interface. It also switched between local and remote servers to avoid detection. This allowed attackers to update phishing content without changing the extension itself. As a result, standard security scans failed to capture the full attack chain.
The phishing page closely copied the official TronLink wallet interface. Users then entered mnemonic phrases, private keys, and keystore files into the fake system. The data moved instantly to attacker-controlled servers and Telegram bots. The page also blocked right-click actions, developer tools, and other inspection tools to prevent analysis.
Wider pattern of crypto extension attacks
This incident reflects a broader trend of malicious browser extensions targeting crypto users. Similar cases have previously hit platforms such as Trust Wallet and other wallet tools, with losses running into millions of dollars. Past campaigns, including “Extension Hollowing,” also relied on trusted extension listings before turning them into attack vectors.
Security experts urge caution when installing wallet-related browser extensions. They say users should check official extension IDs before installing anything and avoid interacting with suspicious wallet prompts. They also advise removing any unknown extensions and moving funds immediately if there is a chance that login details or private keys were exposed.
Also Read: INK Finance Exploited on Polygon, $140K USDT Drained in Flash Loan Attack
