Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Threats/Malicious Chrome Extension Impersonates TronLink to Steal Crypto Wallet Credentials
Threats

Malicious Chrome Extension Impersonates TronLink to Steal Crypto Wallet Credentials

Key Takeaways A sophisticated phishing campaign is actively deploying a malicious Chrome extension impersonating the legitimate TronLink crypto wallet. The fake extension, which appeared to have over...

Marcus Rodriguez
Marcus Rodriguez
May 12, 2026 4 Min Read
56 0

Key Takeaways

  • A sophisticated phishing campaign is actively deploying a malicious Chrome extension impersonating the legitimate TronLink crypto wallet.
  • The fake extension, which appeared to have over a million installs and high ratings, steals mnemonic phrases, private keys, and passwords in real-time.
  • This attack leverages a compromised legitimate Chrome Web Store listing, making it highly deceptive and difficult for users to identify as fraudulent.
  • Users who interacted with the malicious extension should consider their crypto wallets compromised and immediately transfer funds to a new, secure wallet.

Cybersecurity researchers have uncovered a highly deceptive Chrome browser extension designed to steal sensitive cryptocurrency wallet credentials by masquerading as TronLink, a popular wallet for the TRON blockchain ecosystem. This malicious extension operates surreptitiously, extracting critical user data such as mnemonic phrases, private keys, and passwords, and then exfiltrating them to threat actors in real-time.

Table Of Content

  • Key Takeaways
  • MV3 Extension Impersonates TronLink
  • Evasion Tactics and What Users Should Do
  • What You Should Do

What makes this campaign particularly dangerous is its sophisticated approach to deception. The counterfeit extension was listed on the Chrome Web Store, displaying a fabricated install count exceeding one million users and boasting a 4.5-star rating supported by hundreds of reviews. This apparent legitimacy likely led numerous victims to install it without suspicion, believing they were engaging with an authentic and widely adopted tool within the TRON network.

The threat was initially identified and documented by analysts at SlowMist, a security firm specializing in blockchain technologies. Their proprietary MistEye monitoring system flagged the extension as a high-risk phishing sample, prompting an immediate alert to clients once the fake extension and its associated phishing page were confirmed. SlowMist has since published its findings to assist the broader community in recognizing and defending against this specific attack, as detailed in their threat intelligence analysis.

A notable aspect of this attack is the attackers’ presumed method of acquiring credibility. Rather than building a reputation from scratch, they likely compromised an existing, popular extension listing on the Chrome Web Store. By inheriting the established reputation of an authentic extension, they bypassed the arduous process of cultivating trust, ensuring that the displayed ratings and user counts appeared genuine to unsuspecting users.

The consequences of falling victim to this campaign are severe and immediate. Once a user inputs their wallet credentials into the fake interface, these sensitive details are instantly transmitted to attacker-controlled accounts. Any cryptocurrency wallet accessed via this fraudulent extension should be considered fully compromised, placing all digital assets at significant risk of theft.

MV3 Extension Impersonates TronLink

The attack employs a two-layered structure designed to evade detection by conventional security measures. The initial layer consists of the Chrome extension itself, which presents as an innocuous blockchain explorer requesting minimal permissions. The second, more insidious layer is a remote phishing page that loads within the extension’s popup window, executing the actual credential harvesting.

Upon installation and activation, the extension’s popup discretely checks for the availability of a remote server. If accessible, it loads a phishing page within an embedded frame. This page is an almost perfect replica of the legitimate TronLink web wallet interface, making it nearly impossible for most users to discern its fraudulent nature. The attackers also utilized subtle obfuscation techniques, embedding hidden Unicode characters and Cyrillic lookalike letters in the extension’s name to visually mimic “TronLink,” thereby circumventing automated review processes on the Chrome Web Store.

UI Impersonation (Source - Medium)
UI Impersonation (Source – Medium)

The phishing page is engineered to capture every piece of sensitive data entered by the user, including mnemonic phrases, private keys, keystore files, and passwords. This harvested data is then packaged and directly transmitted to the attacker via the Telegram messaging platform, all without any visible indication to the victim.

Evasion Tactics and What Users Should Do

The threat actors implemented several protective measures around their phishing page to hinder analysis by security researchers. These tactics include blocking right-click functionality, disabling text selection, intercepting developer tools shortcuts, and redirecting suspected bots or analysts to a blank page. Furthermore, the phishing infrastructure incorporates geographic detection, automatically redirecting Russian-language users to a separate domain, presumably to mitigate the risk of attracting local law enforcement scrutiny, as detailed in the SlowMist report.

What You Should Do

  • Immediately Remove the Extension: If you have this extension installed, remove it from your Chrome browser without delay.
  • Clear Browser Data: Erase all site data and local storage associated with the malicious extension.
  • Assume Compromise: Any cryptocurrency wallet for which credentials (mnemonic phrases, private keys, passwords) were entered into the fake interface should be considered fully compromised.
  • Transfer Funds: Promptly move all digital assets from the compromised wallet to a new wallet created on a trusted device.
  • Block Malicious Domains: Security teams should configure DNS, proxy, and endpoint detection systems to block the domain tronfind-api[.]tronfindexplorer[.]com and trx-scan-explorer[.]org.
  • Monitor Traffic: Actively monitor network traffic for patterns targeting the API paths used by the phishing backend (e.g., /api/data/words, /api/visitor/track).
  • Restrict Extensions: Implement robust long-term security measures, such as restricting unapproved browser extensions through group policy or device management controls, to significantly reduce similar risks.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain tronfind-api[.]tronfindexplorer[.]com Primary malicious domain; remote UI loading endpoint and credential theft backend
Domain trx-scan-explorer[.]org Secondary malicious domain; redirect target for Russian-region users
URL https[:]//tronfind-api[.]tronfindexplorer[.]com/ Remote phishing page root URL
URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/data/words Credential exfiltration endpoint
URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/track Visitor behavior tracking endpoint
URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/create Visitor creation endpoint
URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/enrich Visitor enrichment/blocking check endpoint
URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/sync Visitor sync/blocking check endpoint
Telegram chat_id 8334454422 Attacker-controlled Telegram account receiving stolen credentials
Chrome Extension ID ekjidonhjmneoompmjbjofpjmhklpjdd Malicious extension ID on Chrome Web Store
MD5 ce612d027e631d6633582227eb29002f Hash of malicious extension file
SHA1 94d651b42355f2b0765a7435e5a5927623807225 Hash of malicious extension file
SHA256 6b4a4b64e6f969017cb3a9a71dd3038ddf32b989e5342dbbe36650d5802f2ee4 Malicious file: index.html
SHA256 b84b89f0a1b7f00431274ac676104acaaa73d440e5731161d1077e733014cc29 Malicious file: 27-a530a8c5aa9059e0.js
SHA256 0cbf4f21cf157227d2c3fba80b64e1f4c3f9d2cc0bf926e024252c35e93edd5a Malicious JavaScript file (filename not specified)
Filename index.html Malicious extension popup entry file
Filename assets/index.html-2KXeQB-c.js Core malicious JavaScript logic file within extension package
Filename 27-a530a8c5aa9059e0.js Malicious JavaScript file associated with phishing page

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Malicious PyPI Package Impersonates Mistral AI, Injects Malware

Next Post

Critical Cline AI Agent RCE Vulnerability Patched

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us