Phishing 2.0: How Hackers Hijacked 1,000,000+ Chrome Users to Steal Tron Wallets

A sophisticated new phishing campaign has surfaced, specifically targeting the TRON ecosystem through a highly deceptive Chrome extension. By masquerading as the widely used TronLink wallet, attackers are leveraging advanced social engineering and dynamic code execution to bypass traditional browser security models.

This campaign represents a significant shift in how browser extension abuse is evolving. Instead of relying on static, easily detectable malicious code, attackers are now utilizing “living-off-the-land” techniques, where the initial installation appears benign, but the actual payload is fetched from a remote server at runtime.

One of the most alarming aspects of this attack is the exploitation of “reputation hijacking.” The malicious extension displays a metric of “1,000,000+ users” and high star ratings on the Chrome Web Store. This isn’t a fabrication of numbers, but rather the result of attackers acquiring or repurposing a previously legitimate extension listing, thereby inheriting its established trust and user base.

Identified by SlowMist’s MistEye monitoring system, the campaign combines high-fidelity brand impersonation with dynamic remote content loading to systematically harvest sensitive cryptographic credentials.

Visual Deception via Homoglyph Attacks

To ensure the extension is visually indistinguishable from the authentic TronLink, the attackers employed advanced Unicode manipulation. By using Unicode bidirectional control characters and Cyrillic homoglyphs, they were able to spoof the brand name in the browser interface. These characters trick the human eye into seeing a legitimate name while the underlying code differs, effectively deceiving users during the critical installation phase.

Furthermore, the extension is architected to appear “low-risk” during automated permission audits. It requests minimal permissions—primarily just storage access—while quietly establishing communication with external endpoints such as tronfind-api.tronfindexplorer.com. This streamlined permission profile is a calculated move to evade security reviews that typically flag extensions requesting broad access to user data or all website permissions.

The malicious lifecycle operates through a sophisticated two-layer execution model designed to defeat static analysis.

Layer 1: The Manifest V3 Wrapper
The malicious sample is presented as a Chrome Manifest V3 (MV3) extension, disguised as a harmless blockchain explorer tool. Because MV3 enforces stricter security policies, the attackers have adapted by making the extension a lightweight shell.

Once installed, the extension does not rely on local malicious scripts. Instead, it checks for connectivity to a remote server and, if available, injects a full-screen iframe into the popup window. This allows the attackers to serve a fully functional, malicious user interface (UI) in real-time without ever modifying the extension’s core code on the user’s machine.

MistEye Response analysis showing the extension structure
MistEye Response Analysis (Source: Medium).

Layer 2: The Dynamic Phishing Payload
The remote content loaded into the iframe is a highly polished, Next.js-based single-page application (SPA) that replicates the TronLink interface with pixel-perfect accuracy. This layer is where the actual credential theft occurs. Users are prompted to “import” their wallets by providing mnemonic phrases, private keys, or keystore files.

The exfiltration process is highly efficient. Using JavaScript functions such as sendWords(), the application packages the stolen sensitive data into JSON objects and transmits them via POST requests to the attacker’s backend API. In a terrifyingly efficient workflow, these credentials are then forwarded in real-time to an attacker-controlled Telegram bot, allowing for immediate exploitation of the stolen assets.

This compromise extends to newly created wallets as well. The system tracks the generation of new mnemonic phrases and passwords, ensuring that even users who believe they are starting fresh are immediately compromised.

Remote UI Loading Process
Remote UI Loading via Iframe (Source: Medium).

Evasion and Anti-Analysis Countermeasures

The attackers have implemented a robust suite of defensive mechanisms to protect their infrastructure from security researchers:

  • Environment Detection: The phishing site utilizes visitor-tracking APIs to identify sandbox environments or known security researcher IP ranges, redirecting them to benign, blank pages.
  • UI Lockdown: The interface disables right-click actions, blocks the opening of Developer Tools, clears console logs, and prevents text selection to hinder manual inspection.
  • Geo-Targeting: The campaign employs strategic redirection. For instance, users with Russian language settings or specific time zones are redirected to alternative domains like trx-scan-explorer.org, likely to evade regional scrutiny or tailor the social engineering approach.
Visual Impersonation of the TronLink UI
High-Fidelity UI Impersonation (Source: Medium).

Infrastructure Summary

The backbone of this operation is the domain tronfind-api.tronfindexplorer.com, which serves as both the remote UI delivery endpoint and the credential collection backend. To maintain high availability and stealth, the phishing site is hosted on Vercel, leveraging their global edge network to minimize latency and provide a veneer of legitimacy.

Security Recommendation: Because this attack relies on content that is only loaded after installation, traditional static scanning of the Chrome Web Store may fail to catch it. Users should exercise extreme caution, only installing wallet extensions from official, verified links, and remain vigilant if a trusted extension suddenly undergoes significant branding changes or unusual permission requests.

Related Articles

Back to top button