- Linux Snap Store apps hijacked to steal crypto recovery phrases.
- Attackers exploit expired domains to distribute malicious crypto wallet updates.
- Crypto wallets impersonated to exfiltrate recovery phrases and drain funds.
According to a recent warning from blockchain security company SlowMist, a new attack targeting Linux systems is exploiting trusted applications distributed through the Snap Store. The attack is particularly dangerous as it allows cybercriminals to steal users’ crypto recovery seed phrases.
This issue has been flagged by SlowMist’s chief information security officer, 23pds, on X, revealing how attackers hijack long-established Snap Store publisher accounts. These attacks use expired domain names to take control of publisher accounts, which were originally associated with legitimate crypto applications.
Once the domain expires, attackers can re-register it and access email addresses linked to developer accounts. This enables them to reset account credentials and push malicious updates to existing applications.
The modified apps appear as trusted crypto wallet software, including popular wallets like Exodus, Ledger Live, and Trust Wallet. Users who install or update these apps unknowingly provide their recovery phrases. The attackers can then use this information to steal funds without the users realizing their accounts have been compromised.
The Growing Threat of Supply Chain Attacks
This attack highlights a broader trend of increasing supply chain risks in the cryptocurrency world. As cybersecurity improves at the protocol level, attackers are shifting their focus from targeting vulnerabilities in smart contracts to exploiting trusted distribution channels. The attack on the Snap Store is a prime example of this evolving threat, where cybercriminals aim to manipulate the software update process rather than directly compromise code.
Also Read: Bitcoin’s Struggles Amid Gold’s Record-Breaking Surge
Data from CertiK shows that supply-chain attacks now account for a significant portion of cryptocurrency-related theft. In 2025 alone, losses from supply-chain incidents amounted to $1.45 billion across just two attacks, underscoring the growing impact of these threats.
The Snap Store Attack’s Impact
The Snap Store, which is widely regarded as the official Linux app store, is particularly vulnerable to this type of attack. As the attack involves routine software updates, users who think they are updating legitimate applications are unknowingly installing malware. Once the malicious software is updated, it prompts users to enter their wallet recovery phrases, leading to potential loss of funds.
SlowMist identified two compromised publisher domains, “storewise[.]tech” and “vagueentertainment[.]com,” which were linked to the malicious applications. By impersonating trusted crypto wallets, the attackers were able to slip past security measures and compromise unsuspecting users.
This attack serves as a stark reminder of the importance of securing software distribution channels and the growing sophistication of cyber threats targeting the crypto industry.
Also Read: Big Day Today For XRP Community – Here’s What’s Coming
