SlowMist: TRON users should be wary of phishing campaigns impersonating the TronLink Chrome extension.

CoinFeed reported on May 11 that SlowMist issued a security alert, reporting a high-risk phishing campaign targeting TRON wallet users. Attackers created a fake TronLink wallet Chrome extension, using Unicode bidirectional control characters and Cyrillic homographs to spoof the brand name. After installation, the extension loads a complete phishing page via a remote iframe, forming a "shell-core separation" credential theft chain. The malicious extension name uses homographs for spoofing, and its Chrome store page inherits the high user count and positive reviews of the genuine extension, lowering the barrier to entry for review. The local code is minimal, only loading a remote page, making the malicious behavior almost undetectable by static analysis.