SlowMist's MistEye security monitoring system detected a high-risk phishing sample targeting TRON wallet users. The sample disguises itself as a Chrome MV3 extension related to the TRON wallet ecosystem, constructing a complete wallet credential theft chain through brand impersonation and remotely variable UI loading. The attack has two layers: a fake TronLink Chrome extension using Unicode bidirectional control characters and Cyrillic homoglyphs to spoof the brand; and a remote phishing page that fully imitates TronLink Wallet's UI to collect mnemonics, private keys, keystore files, and passwords, exfiltrating them via same-origin APIs and a Telegram Bot. The extension loads a remote iframe as the popup interface, making static reviews insufficient to detect subsequent malicious behavior. MistEye issued a high-risk alert and pushed notifications to clients. The malicious extension inherits a legitimate Chrome Web Store listing with millions of users and high ratings, likely because attackers first compromised the original listing before uploading a new version with replaced name, icon, and description. The remote phishing page uses Next.js, implements anti-analysis techniques (disabling right-click, DevTools shortcuts, text selection, console output), and performs geo-targeted redirection for Russian users. Credentials are sent to a Telegram Bot with chat_id 8334454422. Users are advised to verify extension IDs, avoid installing extensions with suspicious names, and use wallet leak checking services.

Key facts

• Fake TronLink Chrome extension uses Unicode control chars and Cyrillic homoglyphs to spoof brand.
• Extension loads remote iframe for popup; static review cannot detect its later phishing behavior.
• Remote Next.js page mimics TronLink Wallet, steals mnemonics, private keys, keystore, and passwords.
• Stolen data exfiltrated via same-origin API and Telegram Bot (chat_id 8334454422).
• Extension inherited legitimate store listing with millions of users, indicating account compromise.

KeyAudit data perspective