Malicious Chrome Extension Impersonates TronLink to Steal Crypto Wallet Credentials
Key Takeaways A sophisticated phishing campaign is actively deploying a malicious Chrome extension impersonating the legitimate TronLink crypto wallet. The fake extension, which appeared to have over...
Key Takeaways
- A sophisticated phishing campaign is actively deploying a malicious Chrome extension impersonating the legitimate TronLink crypto wallet.
- The fake extension, which appeared to have over a million installs and high ratings, steals mnemonic phrases, private keys, and passwords in real-time.
- This attack leverages a compromised legitimate Chrome Web Store listing, making it highly deceptive and difficult for users to identify as fraudulent.
- Users who interacted with the malicious extension should consider their crypto wallets compromised and immediately transfer funds to a new, secure wallet.
Cybersecurity researchers have uncovered a highly deceptive Chrome browser extension designed to steal sensitive cryptocurrency wallet credentials by masquerading as TronLink, a popular wallet for the TRON blockchain ecosystem. This malicious extension operates surreptitiously, extracting critical user data such as mnemonic phrases, private keys, and passwords, and then exfiltrating them to threat actors in real-time.
Table Of Content
What makes this campaign particularly dangerous is its sophisticated approach to deception. The counterfeit extension was listed on the Chrome Web Store, displaying a fabricated install count exceeding one million users and boasting a 4.5-star rating supported by hundreds of reviews. This apparent legitimacy likely led numerous victims to install it without suspicion, believing they were engaging with an authentic and widely adopted tool within the TRON network.
The threat was initially identified and documented by analysts at SlowMist, a security firm specializing in blockchain technologies. Their proprietary MistEye monitoring system flagged the extension as a high-risk phishing sample, prompting an immediate alert to clients once the fake extension and its associated phishing page were confirmed. SlowMist has since published its findings to assist the broader community in recognizing and defending against this specific attack, as detailed in their threat intelligence analysis.
A notable aspect of this attack is the attackers’ presumed method of acquiring credibility. Rather than building a reputation from scratch, they likely compromised an existing, popular extension listing on the Chrome Web Store. By inheriting the established reputation of an authentic extension, they bypassed the arduous process of cultivating trust, ensuring that the displayed ratings and user counts appeared genuine to unsuspecting users.
The consequences of falling victim to this campaign are severe and immediate. Once a user inputs their wallet credentials into the fake interface, these sensitive details are instantly transmitted to attacker-controlled accounts. Any cryptocurrency wallet accessed via this fraudulent extension should be considered fully compromised, placing all digital assets at significant risk of theft.
MV3 Extension Impersonates TronLink
The attack employs a two-layered structure designed to evade detection by conventional security measures. The initial layer consists of the Chrome extension itself, which presents as an innocuous blockchain explorer requesting minimal permissions. The second, more insidious layer is a remote phishing page that loads within the extension’s popup window, executing the actual credential harvesting.
Upon installation and activation, the extension’s popup discretely checks for the availability of a remote server. If accessible, it loads a phishing page within an embedded frame. This page is an almost perfect replica of the legitimate TronLink web wallet interface, making it nearly impossible for most users to discern its fraudulent nature. The attackers also utilized subtle obfuscation techniques, embedding hidden Unicode characters and Cyrillic lookalike letters in the extension’s name to visually mimic “TronLink,” thereby circumventing automated review processes on the Chrome Web Store.

The phishing page is engineered to capture every piece of sensitive data entered by the user, including mnemonic phrases, private keys, keystore files, and passwords. This harvested data is then packaged and directly transmitted to the attacker via the Telegram messaging platform, all without any visible indication to the victim.
Evasion Tactics and What Users Should Do
The threat actors implemented several protective measures around their phishing page to hinder analysis by security researchers. These tactics include blocking right-click functionality, disabling text selection, intercepting developer tools shortcuts, and redirecting suspected bots or analysts to a blank page. Furthermore, the phishing infrastructure incorporates geographic detection, automatically redirecting Russian-language users to a separate domain, presumably to mitigate the risk of attracting local law enforcement scrutiny, as detailed in the SlowMist report.
What You Should Do
- Immediately Remove the Extension: If you have this extension installed, remove it from your Chrome browser without delay.
- Clear Browser Data: Erase all site data and local storage associated with the malicious extension.
- Assume Compromise: Any cryptocurrency wallet for which credentials (mnemonic phrases, private keys, passwords) were entered into the fake interface should be considered fully compromised.
- Transfer Funds: Promptly move all digital assets from the compromised wallet to a new wallet created on a trusted device.
- Block Malicious Domains: Security teams should configure DNS, proxy, and endpoint detection systems to block the domain
tronfind-api[.]tronfindexplorer[.]comandtrx-scan-explorer[.]org. - Monitor Traffic: Actively monitor network traffic for patterns targeting the API paths used by the phishing backend (e.g.,
/api/data/words,/api/visitor/track). - Restrict Extensions: Implement robust long-term security measures, such as restricting unapproved browser extensions through group policy or device management controls, to significantly reduce similar risks.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | tronfind-api[.]tronfindexplorer[.]com | Primary malicious domain; remote UI loading endpoint and credential theft backend |
| Domain | trx-scan-explorer[.]org | Secondary malicious domain; redirect target for Russian-region users |
| URL | https[:]//tronfind-api[.]tronfindexplorer[.]com/ | Remote phishing page root URL |
| URL | https[:]//tronfind-api[.]tronfindexplorer[.]com/api/data/words | Credential exfiltration endpoint |
| URL | https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/track | Visitor behavior tracking endpoint |
| URL | https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/create | Visitor creation endpoint |
| URL | https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/enrich | Visitor enrichment/blocking check endpoint |
| URL | https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/sync | Visitor sync/blocking check endpoint |
| Telegram chat_id | 8334454422 | Attacker-controlled Telegram account receiving stolen credentials |
| Chrome Extension ID | ekjidonhjmneoompmjbjofpjmhklpjdd | Malicious extension ID on Chrome Web Store |
| MD5 | ce612d027e631d6633582227eb29002f | Hash of malicious extension file |
| SHA1 | 94d651b42355f2b0765a7435e5a5927623807225 | Hash of malicious extension file |
| SHA256 | 6b4a4b64e6f969017cb3a9a71dd3038ddf32b989e5342dbbe36650d5802f2ee4 | Malicious file: index.html |
| SHA256 | b84b89f0a1b7f00431274ac676104acaaa73d440e5731161d1077e733014cc29 | Malicious file: 27-a530a8c5aa9059e0.js |
| SHA256 | 0cbf4f21cf157227d2c3fba80b64e1f4c3f9d2cc0bf926e024252c35e93edd5a | Malicious JavaScript file (filename not specified) |
| Filename | index.html | Malicious extension popup entry file |
| Filename | assets/index.html-2KXeQB-c.js | Core malicious JavaScript logic file within extension package |
| Filename | 27-a530a8c5aa9059e0.js | Malicious JavaScript file associated with phishing page |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.