Malicious Actors Initiate Phishing Campaigns Impersonating TronLink

Key Insights

• Security analysts at SlowMist have identified a fake TronLink wallet Chrome extension used in a phishing campaign.
• The malicious extension can steal private data from wallets, such as private keys, mnemonic phrases, etc., once installed and has advanced anti-detection capability.
• Crypto hacks rise substantially in April, with over $600 million in what Binance CEO describes as troubling.

Security researchers warned TronLink users about a phishing campaign involving a fake Chrome wallet extension designed to steal private wallet credentials.

Blockchain security firm SlowMist said the malicious software impersonated the popular TRON wallet TronLink while using advanced spoofing methods to avoid detection.

The warning arrived as crypto hacks and phishing attacks continued rising sharply across decentralized finance platforms in 2026.

Attackers Deploying Malicious Chrome Extension to Steal Users’ Data

According to SlowMist, its MistEye monitoring system detected the attack, which involves a fake Chrome MV3 extension that impersonates TronLink Wallet. It can bypass easy detection by spoofing the brand name with Unicode bidirectional control characters and Cyrillic homoglyphs.

As a result, the fake extension looks like the genuine version and even inherits the original extension’s positive reviews and high download counts. This makes it even more difficult to detect.

However, the fake extension is a phishing page that loads a remote iframe once installed. This page steals credentials from the device, including private keys, passwords, mnemonic phrases, and keystore files.

All stolen data is sent in real time via a Telegram bot. The SlowMist team identified the malicious extension ID as ekjidonhjmneoompmjbjofpjmhklpjdd.

Interestingly, the phishing extension has several advanced techniques to prevent detection. These include minimal local code, in-built anti-analysis features, and geo-language-based redirection for Russian users.

While the SlowMist alert did not specify whether anyone has been affected by the campaign, it is highly likely given TronLink’s popularity on the TRON network. However, users are advised to uninstall any suspicious extensions, check for abnormal traffic, and clear localStorage.

For anyone who has likely downloaded the fake extension and entered their credentials. It is best to quickly transfer their assets to a new wallet. The ID for the official TronLink extension is ibnejdfjmmkpcnlpebklmnkoeoihofec.

Crypto Hacks Intensify in 2026 as Over $600 Million Lost to DeFi Exploits in April

Meanwhile, the alert further highlights the growing risks crypto users now face. 2026 has proven to be a particularly tough year for DeFi, with over $600 million already lost to exploits.

According to Binance CEO Richard Teng, DeFi hacks resulted in $621 million in losses in April alone. He noted that this shows how security is a major concern that the industry needs to invest in.

Interestingly, most of the losses have been attributed to North Korea-backed hackers. TRM Labs put the total losses from crypto hacks in 2026 at around $759 million.

However, 76% of that amount, or $577 million, is traceable to just two attacks attributed to North Korean groups. These two attacks, KelpDAO and Drift Protocol, demonstrate the attackers’ high-level precision, as they spent weeks or even months preparing before the incidents.

The Drift Protocol exploit also involved social engineering and phishing tactics. There were in-person meetings between proxies of the hacking group and Drift Protocol representatives.

Malicious browser extensions are also growing as an attack vector for phishing scams, with Trust Wallet also hit with a similar issue in late 2025.

The growing sophistication of phishing campaigns and browser-based attacks continues increasing security pressure across crypto wallets, exchanges, and DeFi protocols.

The post Malicious Actors Initiate Phishing Campaigns Impersonating TronLink appeared first on The Market Periodical.