Cryptocurrency security company SlowMist has issued a security alert warning of a high-risk phishing attack targeting TRON (TRX) wallet users, according to a press release from the company. Attackers created a malicious Chrome extension that mimics the official TronLink wallet, using sophisticated spoofing techniques to deceive users into installation. The fake extension steals wallet credentials and transmits them to attackers in real-time.
Attack Method
The malicious extension employs Unicode bidirectional control characters and similar Cyrillic letters to spoof the extension’s name, making it nearly identical to the legitimate TronLink wallet extension. The fake extension is listed in the Chrome Web Store and leverages the high download numbers and positive reviews of the official version to appear trustworthy to ordinary users, making detection extremely difficult.
Attack Chain
Once installed, the malicious extension uploads a phishing page via a remote server. This page perfectly replicates the official TronLink web wallet interface. When victims log into their TRON wallet through the fake interface, the extension captures their private keys, keystore files, and passwords. This stolen information is transmitted to the attackers in real-time through a Telegram bot, completing the credential theft chain.
Recommended Actions for TRON Users
SlowMist recommends the following protective measures:
- Immediately check and remove any suspicious extensions from unknown sources from your browser
- Clear your browser’s local storage data to remove any cached credentials
- Be aware of unusual network requests that may indicate ongoing phishing attempts
- If wallet information has been compromised, immediately create a new wallet and move all assets to a secure address
The security firm emphasizes that users should only download wallet extensions from official sources and verify URLs carefully before entering sensitive information.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
A Telegram username sold for a million-dollar price triggers a forged USDT phishing attack
According to Bits.media, reported on May 13, multiple Telegram usernames and virtual vanity numbers were sold on the Fragment auction platform at record-high TON token prices; within a few hours after the trades, the attacker launched a forged USDT attack on users of the TON blockchain NFT trading platform Getgems. A Chinese collector reportedly lost more than $800k in a virtual-number code. Fragment Platform Vanity Number Deal Records According to Bits.media, the major completed deals on the Fr
MarketWhisper54m ago
Telegram Usernames Sell for Record $2.1 Million in TON, Followed by Phishing Attacks
According to Bits.media, Telegram usernames and premium numbers sold for record-high prices in TON tokens on May 13, with @danbao fetching 1.58 million TON (approximately $2.1 million) from an anonymous buyer last weekend, marking the platform's highest transaction. Other premium numbers
GateNews1h ago
Aave and Kelp Complete First Step of rsETH Recovery, Destroy 117,132 rsETH on Arbitrum
According to ChainCatcher, Aave and Kelp have completed the first phase of their rsETH recovery plan, destroying attacker-held rsETH on Arbitrum. Over the coming days, the parties will gradually replenish funds to LayerZero's OFT adapter and phase in the restart of rsETH operations, with 117,132 rsE
GateNews3h ago
Bitcoin Network Flooded With 200,000 Fake Node Addresses Since April 9, Sparking Sybil Attack Concerns
According to Bitcoin developer Jameson Lopp, roughly 200,000 unreachable node addresses have been flooding Bitcoin's peer-to-peer network since April 9, 2026, raising concerns about a potential Sybil-style attack. The anomaly caused ADDR messages—the protocol nodes use to share peer addresses—to
GateNews7h ago
The U.S. DOJ charges three men from Tennessee for cross-state wrench attacks: robbed a California crypto holder of $6.5 million
The U.S. Department of Justice on May 12 filed federal charges against three Tennessee men: Elijah Armstrong, Nino Chindavanh, and Jayden Rucker. The three allegedly crossed state lines into California from November to December 2025, disguised themselves as delivery workers to break into the homes of cryptocurrency holders, then after restricting the victims’ movements with firearms, zip ties, and tape, forced them to transfer crypto assets, with the single largest amount reaching $6.5 million.I
ChainNewsAbmedia14h ago
Aurellion Suffers Attack, 455,003 USDC Drained Today
According to Slow Mist, decentralized shipping project Aurellion suffered an attack today (May 12), with attackers gaining control of the Diamond contract and draining 455,003 USDC from multiple authorized victim
GateNews16h ago
