TechFlow News: On May 11, SlowMist disclosed that its security monitoring system, MistEye, detected a malicious Chrome MV3 extension impersonating TronLink, launching a two-layer phishing attack targeting TRON wallet users. The extension uses Unicode obfuscation and brand spoofing to masquerade as the official plugin. Upon installation, it first loads a remote iframe popup page designed to trick users into entering their mnemonic phrases, private keys, keystore files, and passwords, then exfiltrates this sensitive data via same-origin API calls to a Telegram bot. The malicious infrastructure involved includes tronfind-api[.]tronfindexplorer[.]com and trx-scan-explorer[.]org; the malicious extension ID is ekjidonhjmneoompmjbjofpjmhklpjdd. SlowMist advises users to immediately uninstall this extension; if sensitive information has already been submitted, users should promptly migrate their assets and discontinue use of the compromised wallet.
Risk Disclosure: This website's content is not investment advice and offers no trading guidance or related services. Per regulations from the PBOC and other authorities, users must be aware of virtual currency risks. Contact us / support@techflowpost.com ICP License: 琼ICP备2022009338号
