Attackers have taken over trusted Snap Store publishers by using expired domains. This lets bad wallet upgrades get to Linux users who have been using the software for a long time.
SlowMist, a blockchain security business, has discovered a new method for hackers to infiltrate Linux systems by exploiting trusted applications on the Snap Store to steal users’ crypto recovery seed phrases.
23pds, SlowMist’s chief information security officer, stated in a post on X that attackers are leveraging expired domains to take over long-standing Snap Store publisher accounts and send out bad updates through official channels.
The hacked apps are said to pretend to be popular cryptocurrency wallets like Exodus, Ledger Live, and Trust Wallet by employing interfaces that look a lot like real software.
After being installed or updated, the bad apps ask users to enter wallet recovery phrases, which lets attackers steal credentials and take money without users knowing they have been hacked.
Source: 23pds
How trusted distribution channels were exploited
The Snap Store is the official Linux app store for distributing software that is packaged as “snaps.” People often think of it as Linux’s version of the Microsoft Store on Windows and the Apple App Store on macOS.
SlowMist explained that the assault works by keeping an eye on Snap Store developer accounts that are tied to domains that have expired but were once owned by real publishers.
When a domain name runs out, attackers can re-register it and use email addresses associated to that domain to change the passwords for Snap Store accounts.
According to the head of SlowMist, this approach enables hackers to stealthily take control of established publisher accounts, which already have download histories and active users. Subsequently, regular software updates may transmit malicious code instead of new installations.
Broader shift toward supply-chain attacks
The Snap Store attack vector reflects a broader trend in cryptocurrency-related threats, whereby malicious actors are increasingly targeting infrastructure and distribution channels rather than smart contract code.
CertiK reported that the losses were concentrated on fewer but more damaging supply chain disruptions, resulting in a total of $1.45 billion in losses across just two incidents.
The trend shows that as protocol-level security gets better, attackers are using more powerful methods that take advantage of trust relationships, software upgrades, and third-party infrastructure.