--- title: "Blockchain Security Firm SlowMist Reports Malicious Chrome Extension Masquerading as TronLink Wallet" type: "News" locale: "en" url: "https://longbridge.com/en/news/285910890.md" description: "Blockchain security firm SlowMist has reported a malicious Chrome extension posing as a TronLink wallet. The extension, with ID ekjidonhjmneoompmjbjofpjmhklpjdd, uses deceptive tactics to gain user trust, including high ratings and over a million installations. It operates by loading a remote phishing page that mimics the TronLink UI, prompting users for sensitive information. SlowMist advises immediate uninstallation of the extension and creation of a new wallet if credentials were compromised. Malicious domains involved include tronfind-api[.] tronfindexplorer[.] com and trx-scan-explorer[.] org, while the official TronLink extension ID is ibnejdfjmmkpcnlpebklmnkoeoihofec." datetime: "2026-05-11T09:03:35.000Z" locales: - [zh-CN](https://longbridge.com/zh-CN/news/285910890.md) - [en](https://longbridge.com/en/news/285910890.md) - [zh-HK](https://longbridge.com/zh-HK/news/285910890.md) --- # Blockchain Security Firm SlowMist Reports Malicious Chrome Extension Masquerading as TronLink Wallet Blockchain security firm SlowMist has released a threat intelligence report detailing a malicious Chrome extension disguised as a TronLink wallet. According to Foresight News, the extension, identified by ID ekjidonhjmneoompmjbjofpjmhklpjdd, uses Unicode bidirectional control characters and Cyrillic letters to impersonate the TronLink brand name. It inherits high ratings from existing Chrome store extensions, showing over a million installations and a 4.5-star rating, to lower user suspicion. The attack operates on two levels: the first involves a local malicious extension that, once installed, prioritizes loading a remote iframe as a pop-up interface, requesting minimal permissions to evade review. The second level consists of a remote phishing page hosted on the Vercel platform, which fully mimics the TronLink web wallet UI. It prompts users to input mnemonic phrases, private keys, and Keystore files, then sends these credentials to attackers via a Telegram Bot (chat\_id: 8334454422). The phishing page includes visitor identification and blocking logic, disables right-click and developer tools, and redirects Russian-speaking users to another domain to avoid dynamic analysis by security researchers. SlowMist advises users who have installed the extension to uninstall it immediately and clear local storage. If wallet credentials were entered on the extension or phishing page, users should create a new wallet on a trusted device and transfer assets. The malicious domains involved are tronfind-api\[.\] tronfindexplorer\[.\] com and trx-scan-explorer\[.\] org. The official TronLink extension ID is ibnejdfjmmkpcnlpebklmnkoeoihofec, which users can verify by comparing IDs. ### Related Stocks - [TRON.US](https://longbridge.com/en/quote/TRON.US.md) - [BITO.US](https://longbridge.com/en/quote/BITO.US.md) - [HODL.US](https://longbridge.com/en/quote/HODL.US.md) - [BLOK.US](https://longbridge.com/en/quote/BLOK.US.md) - [BITB.US](https://longbridge.com/en/quote/BITB.US.md) ## Related News & Research - [EXCLUSIVE-How Trump's crypto venture and Iran's top exchange tapped into the same industry networks](https://longbridge.com/en/news/286735446.md) - [Justin Sun-Linked Tron Says It Can't 'Monitor And Investigate' Every User As Report Suggests Iran Crypto Exchange Moved Millions On Its Chain](https://longbridge.com/en/news/286855311.md) - [This Country Is Going Onchain — And Ripple Rival Stellar Just Landed The Deal](https://longbridge.com/en/news/286256430.md) - [Bernstein says Figure's Q1 results shows uniqueness of blockchain marketplaces](https://longbridge.com/en/news/286683616.md) - [Tron Reports Strong Q1 Results Driven by TRX Treasury](https://longbridge.com/en/news/285950677.md)