Slow Fog: TRON users should be vigilant against phishing activities involving counterfeit TronLink Chrome extensions

SlowMist has issued a security warning stating that a high-risk phishing activity targeting TRON wallet users has been discovered. Attackers created a fake Chrome extension for the TronLink wallet, using Unicode bidirectional control characters and Cyrillic homographs to disguise the brand name. After installation, the extension loads a complete phishing page through a remote iframe, forming a "shell-core separation" credential theft chain.

The malicious extension name uses homographs for disguise, and its Chrome Store page inherits the high user count and positive reviews of the real extension, lowering the review threshold. There is very little local code, only loading remote pages, making static analysis nearly impossible to detect malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, Keystore files, and passwords, and relaying them in real-time via a Telegram Bot.

Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian users to evade detection. SlowMist recommends immediately uninstalling suspicious extensions, clearing local storage, checking for abnormal traffic, and if credentials have been entered, creating a new wallet and transferring assets immediately.