PANews reported on May 11 that SlowMist issued a security alert, reporting a high-risk phishing campaign targeting TRON wallet users. Attackers created a fake TronLink wallet Chrome extension, using Unicode bidirectional control characters and Cyrillic homographs to spoof the brand name. Once installed, the extension loads a complete phishing page remotely via an iframe, forming a "shell-core separation" credential theft chain.

The malicious extension uses homonyms to disguise its name, and its Chrome store page inherits the high user base and positive reviews of the legitimate extension, lowering the barrier to entry for review. The local code is minimal, loading only the remote page, making static analysis almost impossible to detect its malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, keystore files, and passwords, and transmitting them back in real-time via a Telegram bot. Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian-speaking users to evade detection. SlowMist recommends immediately uninstalling the suspicious extension, cleaning local storage, checking for abnormal traffic, and if credentials have been entered, immediately creating a new wallet and transferring assets.