SlowMist Reports Advanced TRON Wallet Phishing Attack With Chrome Extension Impersonation And Remote Iframe Loading
In Brief
SlowMist reports a TRON wallet phishing campaign using a fake Chrome extension and remote phishing pages to steal credentials, featuring anti-analysis tools, geo-targeting, and hidden infrastructure.
Threat intelligence firm SlowMist reported that it has identified a high-risk phishing campaign aimed at TRON wallet users, involving a malicious Chrome MV3 extension designed to impersonate the Threat intelligence firm SlowMist reported that it has identified a high-risk phishing campaign aimed at TRON wallet users, involving a malicious Chrome MV3 extension designed to impersonate the TronLink Wallet brand.
According to the analysis, the attack combines deceptive branding, remotely loaded user interfaces, and data-exfiltration mechanisms in a layered structure intended to capture wallet credentials while reducing the likelihood of detection during review.
The first stage of the campaign centers on a fraudulent browser extension that mimics a legitimate TRON-related tool. SlowMist said the extension relies on Unicode bidirectional control characters and Cyrillic homoglyphs to make its name appear similar to the official TronLink label. Although the package itself presents as a low-permission extension, its behavior changes after installation. When the user opens the popup, the extension checks a remote endpoint and, if available, loads a full interface from an external iframe rather than relying on a static local page.
That remote component forms the second stage of the operation. The phishing site closely imitates the look and function of the TronLink web wallet, including the pages used to import mnemonic phrases, private keys, and keystore files. SlowMist said the interface collects sensitive information such as recovery phrases, private keys, keystore data, and passwords, then forwards it through server-side APIs to attacker-controlled infrastructure. The report indicated that the data is relayed in real time through the Telegram Bot API.
The extension also stores several local markers, including information about whether the remote service is reachable, the URL used for the iframe, and recent search records. SlowMist noted that these items can remain in local storage until the extension is removed. Because the visible popup content is pulled from a remote source, the malicious behavior can be changed without modifying the extension package itself, complicating static analysis and conventional store review procedures.
Inside TRON Phishing Campaign: Anti-Analysis Techniques, Geo-Targeting, And Multi-Layer Attack Architecture
According to the report, the phishing page includes additional safeguards meant to hinder investigation. These measures include blocking right-click actions, disabling text selection, intercepting developer tools shortcuts, suppressing console output, preventing dragging, and blocking print commands. The page also tracks visitor behavior and checks whether a session should be blocked, redirecting suspicious traffic to a blank page. SlowMist said these controls are intended to frustrate sandbox testing and automated inspection.
The analysis further described geographic filtering logic, with users detected from Russian-language settings or Russian time zones being redirected to a separate domain. SlowMist interpreted this behavior as either region-specific phishing handling or an attempt to avoid attention from local investigators. The main infrastructure was identified as a remote domain hosted on Vercel, while other legitimate TRON ecosystem services embedded in the code were described as part of fallback or query functionality rather than malicious activity.
SlowMist characterized the operation as a two-layer attack model in which a deceptive browser extension acts as the initial contact point while a remotely controlled web page carries out the actual credential theft. The company said this design illustrates how malicious actors can separate visible shell components from hidden backend behavior, making the campaign harder to identify through routine static checks alone.
The warning was issued as a reminder for users and security teams to treat unauthorized extensions with caution, review installed browser add-ons, and monitor for unusual traffic tied to wallet-import workflows and related phishing infrastructure.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
