SlowMist flags Linux snap store attack targeting crypto seed phrases
|Blockchain security company SlowMist flagged a new Linux-based attack vector that exploits trusted applications distributed through the Snap Store to steal users’ crypto recovery seed phrases.
In a post on X, SlowMist’s chief information security officer, 23pds, said attackers are abusing expired domains to hijack long-standing Snap Store publisher accounts and distribute malicious updates through official channels.
The compromised applications reportedly impersonate popular crypto wallets, including Exodus, Ledger Live and Trust Wallet, using interfaces that closely resemble legitimate software.
Once installed or updated, the malicious apps prompt users to enter wallet recovery phrases, allowing attackers to exfiltrate credentials and drain funds without users realizing they have been compromised.
Source: 23pds
Attackers use expired domains to hijack snap store publishers
The Snap Store is the official Linux app store used to distribute software packaged in a format called “snaps.” It is commonly considered Linux’s equivalent of Apple’s App Store on macOS and the Microsoft Store on Windows.
SlowMist said the attack relies on monitoring Snap Store developer accounts linked to domains that have expired but were previously associated with legitimate publishers.
Once a domain expires, attackers can re-register it and use domain-linked email addresses to reset Snap Store account credentials.
The SlowMist executive said the process allows attackers to quietly take control of established publisher accounts with existing download histories and active users. From there, malicious code can be pushed through routine software updates rather than fresh installations.
SlowMist confirmed that two publisher domains, namely “storewise[.]tech” and “vagueentertainment[.]com,” have been compromised using the attack vector. Applications tied to the accounts were reportedly modified to impersonate well-known crypto wallets.
Supply-chain attacks grow as crypto exploits become more sophisticated
The Snap Store attack vector aligns with a broader shift in crypto-related threats, where attackers are increasingly targeting infrastructure and distribution channels rather than smart contract code.
CertiK data shared with Cointelegraph in December showed that total crypto hack losses reached $3.3 billion in 2025, despite a sharp decline in the number of individual incidents.
CertiK said losses became concentrated in fewer but more damaging supply-chain attacks, which accounted for $1.45 billion in losses across just two incidents.
The trend suggests that as protocol-level security improves, attackers are shifting toward higher-impact tactics that exploit trust relationships, software updates and third-party infrastructure.
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.