BlockBeats News, May 11th - The SlowMist team recently issued a warning after discovering a high-risk phishing incident targeting TRON wallet users. The attacker created a counterfeit Chrome browser extension mimicking the official TronLink wallet, using Unicode bidirectional control characters and visually similar characters from the Cyrillic alphabet to spoof the extension name and deceive users.

The malicious extension displayed in the Chrome Web Store has a name highly similar to the genuine version. It also leveraged the real extension's high download count and positive user reviews, lowering the vigilance of regular users. The extension itself has very little code and is only responsible for loading a full phishing page from a remote server, creating a "shell and core separate" attack chain that makes it difficult to detect malicious behavior through routine static code analysis.

The remotely loaded phishing page is visually almost identical to the genuine TronLink web wallet, specifically designed to trick users into entering their mnemonic phrases, private keys, Keystore files, and wallet passwords. Once users submit this information, it is immediately sent to the attacker via a Telegram bot. Furthermore, the page is equipped with anti-debugging features that disable the right-click menu, developer tools, drag-and-drop operations, and page printing. It also redirects based on the user's geolocation and language settings (especially for Russian-speaking users) to evade automated security scans.

SlowMist recommends that users immediately check and uninstall any suspicious extensions of unknown origin, clear browser local storage data, and watch for any abnormal network requests. If wallet information has inadvertently been leaked, users should promptly create a new wallet and transfer all assets to a secure address.