Fake TronLink Chrome Extension Steals Crypto Wallet Credentials in Large-Scale Phishing Attack
A malicious Chrome extension masquerading as the popular TronLink crypto wallet has been discovered stealing sensitive credentials, including mnemonic phrases, private keys, and passwords from unsuspecting users. The extension, which appeared on the Chrome Web Store with over 1 million claimed installs and a 4.5-star rating, exploited the reputation of a legitimate listing to evade suspicion.
Security firm SlowMist identified the threat after its MistEye monitoring system flagged the extension as a high-risk phishing sample. The attack leveraged a two-layer approach: the extension itself, which requested minimal permissions, and a remote phishing page that loaded inside the extension’s popup. This page was a near-perfect replica of the real TronLink wallet, tricking users into entering their credentials.
Once entered, the stolen data was instantly transmitted to attacker-controlled accounts via Telegram, leaving victims unaware of the breach. The extension also employed evasion tactics, including Unicode spoofing to mimic the TronLink name, geographic redirection (blocking Russian users), and anti-analysis measures like disabling right-clicks and developer tools.
The impact is severe any wallet accessed through the extension is considered fully compromised, with funds at immediate risk of theft. Users who installed the extension (ID: ekjidonhjmneoompmjbjofpjmhklpjdd) are advised to remove it and migrate funds to a new wallet. Security teams should block the malicious domain tronfind-api.tronfindexplorer[.]com and monitor for related traffic patterns.
The attack highlights the risks of inherited extension reputations and the sophistication of modern phishing campaigns targeting cryptocurrency users.
Source: https://cybersecuritynews.com/malicious-chrome-mv3-extension-impersonates-tronlink/
Google TPRM report: https://www.rankiteo.com/company/google-chrome
"id": "goo1778588839",
"linkid": "google-chrome",
"type": "Vulnerability",
"date": "5/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Over 1 million claimed installs',
'industry': 'Cryptocurrency',
'name': 'TronLink (impersonated)',
'type': 'Crypto Wallet Service'}],
'attack_vector': 'Malicious Chrome Extension',
'customer_advisories': 'Users advised to remove the extension and migrate '
'funds to a new wallet',
'data_breach': {'data_exfiltration': 'Transmitted to attacker-controlled '
'accounts via Telegram',
'personally_identifiable_information': 'Wallet credentials '
'(indirectly linked to '
'user identities)',
'sensitivity_of_data': 'High (crypto wallet credentials)',
'type_of_data_compromised': 'Mnemonic phrases, private keys, '
'passwords'},
'description': 'A malicious Chrome extension masquerading as the popular '
'TronLink crypto wallet has been discovered stealing sensitive '
'credentials, including mnemonic phrases, private keys, and '
'passwords from unsuspecting users. The extension exploited '
'the reputation of a legitimate listing to evade suspicion and '
'employed a two-layer approach with a remote phishing page to '
'trick users into entering their credentials. Stolen data was '
'transmitted to attacker-controlled accounts via Telegram.',
'impact': {'brand_reputation_impact': "Damage to TronLink's reputation due to "
'impersonation',
'data_compromised': 'Mnemonic phrases, private keys, passwords',
'financial_loss': 'Funds at immediate risk of theft',
'identity_theft_risk': 'High (wallet credentials stolen)',
'payment_information_risk': 'High (crypto wallet credentials '
'stolen)',
'systems_affected': 'User crypto wallets accessed via the '
'extension'},
'initial_access_broker': {'entry_point': 'Malicious Chrome Extension (ID: '
'ekjidonhjmneoompmjbjofpjmhklpjdd)'},
'lessons_learned': 'Risks of inherited extension reputations and '
'sophistication of phishing campaigns targeting '
'cryptocurrency users',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Block malicious domain, '
'monitor traffic patterns, '
'public advisories',
'root_causes': 'Exploitation of inherited '
'extension reputation, Unicode '
'spoofing, remote phishing page'},
'recommendations': 'Remove the malicious extension, migrate funds to a new '
'wallet, block malicious domains, monitor for related '
'traffic patterns',
'references': [{'source': 'SlowMist'}],
'response': {'communication_strategy': 'Public advisory to users',
'containment_measures': 'Users advised to remove the extension '
'and migrate funds to a new wallet',
'remediation_measures': 'Block malicious domain '
'(tronfind-api.tronfindexplorer[.]com), '
'monitor for related traffic patterns',
'third_party_assistance': 'SlowMist (security firm)'},
'title': 'Fake TronLink Chrome Extension Steals Crypto Wallet Credentials in '
'Large-Scale Phishing Attack',
'type': 'Phishing',
'vulnerability_exploited': 'Inherited extension reputation, Unicode spoofing, '
'remote phishing page'}