Blockchain security firm SlowMist has flagged a new Linux-based attack vector that exploits trusted apps distributed through the Snap Store to steal users’ crypto recovery seed phrases.
In a post on X, SlowMist’s Chief Information Security Officer, 23pds, he said attackers abuse expired domains to hijack long-running Snap Store publisher accounts and distribute malicious updates through official channels.
The compromised apps allegedly mimic popular crypto wallets, including Exodus, Ledger Live, and Trust Wallet, using interfaces that closely resemble legitimate software.
Once installed or updated, the malicious apps ask users to enter wallet recovery phrases, allowing attackers to extract credentials and drain funds without users realizing they’ve been compromised.
Attackers use expired domains to hijack Snap Store publishers
The Snap Store is an official Linux application store used to distribute software packaged in a format called “snaps”. It is usually considered the Linux equivalent of the Apple App Store on macOS and the Microsoft Store on Windows.
SlowMist said the attack relies on tracking Snap Store developer accounts linked to domains that have expired but were previously linked to legitimate publishers.
After the domain expires, attackers can re-register it and use the email addresses associated with the domain to revoke Snap Store account credentials.
SlowMist’s CEO said the process allows attackers to quietly take control of established publisher accounts with existing download history and active users. From there, malicious code can be pushed through routine software updates instead of new installations.
SlowMist confirmed that two publisher domains, namely “storewise(.)tech” and “vagueentertainment(.)com,” were compromised using the attack vector. The apps associated with the accounts have reportedly been modified to mimic well-known crypto wallets.
Related: 80% of hacked crypto projects never ‘fully recover’, warns expert
Supply chain attacks are growing as crypto exploits become more sophisticated
The Snap Store attack vector aligns with a broader shift in crypto-related threats, where attackers are increasingly targeting infrastructure and distribution channels rather than the smart contract.
Data CertiK shared with Cointelegraph in December showed total crypto hacking losses reaching $3.3 billion in 2025, despite a sharp decline in the number of individual incidents.
CertiK said losses were concentrated in smaller but more damaging supply chain attacks, which totaled $1.45 billion in losses from just two incidents.
The trend suggests that as protocol-level security improves, attackers are shifting to higher-impact tactics that exploit trust relationships, software updates, and third-party infrastructure.
Magazine: Meet the onchain crypto detectives who fight crime better than cops
