SlowMist Discloses Phishing Campaign Involving Fake TronLink Chrome Extension That Steals Wallet Credentials Such as Mnemonics and Private Keys

According to SlowMist, its security monitoring system MistEye has detected a counterfeit TronLink Chrome MV3 extension targeting TRON wallet users with a two-layer phishing attack. The extension disguises itself as the official plugin using Unicode obfuscation and brand spoofing. Upon installation, it first loads a remote iframe-based pop-up page designed to trick users into entering their mnemonic phrases, private keys, keystore files, and passwords—then exfiltrates this sensitive data via same-origin APIs to a Telegram bot. The malicious infrastructure involved includes the domains tronfind-api[.]tronfindexplorer[.]com and trx-scan-explorer[.]org; the malicious extension ID is ekjidonhjmneoompmjbjofpjmhklpjdd. SlowMist advises users to immediately uninstall the extension. If sensitive information has already been submitted, users should promptly migrate their assets and discontinue use of the compromised wallet.