Blockchain security firm SlowMist has identified a new Linux-based attack vector that abuses trusted applications distributed via the Snap Store to steal users’ crypto recovery seed phrases.
In a post on X, SlowMist chief information security officer 23pds said attackers are exploiting expired domains to take over long-standing Snap Store publisher accounts and push malicious updates through official distribution channels.
The compromised apps reportedly masquerade as well-known crypto wallets such as Exodus, Ledger Live and Trust Wallet, using interfaces that closely mimic legitimate software.
Once installed or updated, the malicious applications prompt users to enter their wallet recovery phrases, enabling attackers to steal credentials and drain funds without the victims realizing they have been compromised.
Attackers exploit expired domains to hijack Snap Store publishers
The Snap Store is Linux’s official app marketplace, distributing software packaged as “snaps,” and is often compared to Apple’s App Store on macOS or the Microsoft Store on Windows.
SlowMist explained that the attack hinges on tracking Snap Store developer accounts linked to domains that have expired but were previously tied to legitimate publishers.
Once a domain lapses, attackers can re-register it and use domain-associated email addresses to reset Snap Store account credentials.
According to SlowMist, this method enables attackers to quietly seize control of established publisher accounts with existing users and download histories. Malicious code can then be delivered through routine software updates rather than new installations.
SlowMist confirmed that two publisher domains — “storewise[.]tech” and “vagueentertainment[.]com” — were compromised using this technique, with associated apps altered to impersonate popular crypto wallets.
Supply-chain attacks rise as crypto exploits grow more sophisticated
The Snap Store attack reflects a broader shift in crypto-related threats, with attackers increasingly focusing on infrastructure and distribution channels instead of smart contract vulnerabilities.
Data from CertiK shared with Cointelegraph in December showed that crypto-related losses totaled $3.3 billion in 2025, even as the number of individual hacking incidents fell sharply.
CertiK noted that losses became concentrated in fewer but far more damaging supply-chain attacks, which accounted for $1.45 billion in losses across just two incidents.
The trend suggests that as protocol-level security improves, attackers are turning to higher-impact strategies that exploit trust relationships, software update mechanisms and third-party infrastructure.
