HomePet Care Services / Exposes Snap Store Hijack Threating Crypto Wallets
Pet Care Services

Exposes Snap Store Hijack Threating Crypto Wallets

Share this post on:

At a Glance

  • SlowMist warns that attackers hijack Snap Store publisher accounts via expired domains.
  • Malicious updates mimic popular wallets like Exodus, Ledger Live and Trust Wallet.
  • Crypto users risk exposing recovery seed phrases and losing funds.
  • Why it matters: The attack exploits trusted Linux distribution channels, making it harder for users to detect.

SlowMist’s latest alert reveals a sophisticated supply-chain attack that uses the Snap Store, Linux’s main app distribution platform, to push malicious updates that look like legitimate crypto wallets. The method relies on hijacking publisher accounts that have long-standing download histories, enabling attackers to deliver malware through routine updates rather than new installations.

What the Attack Looks Like

The compromised applications, once installed or updated, prompt users to enter their wallet recovery phrases. The attackers then exfiltrate the credentials and drain funds without the user noticing.

  • The malicious apps closely resemble the interfaces of well-known wallets such as Exodus, Ledger Live and Trust Wallet.
  • Users are asked to input their 12- or 24-word seed phrase, which is captured by the malware.
  • Funds are transferred to attacker-controlled addresses after the seed phrase is obtained.

How Attackers Hijack Snap Store Accounts

Snap Store developers are linked to domains that, when they expire, can be re-registered by attackers. The process involves:

  1. Domain expiration – The domain previously associated with a legitimate publisher lapses.
  2. Re-registration – Attackers register the domain again.
  3. Credential reset – Using the domain-linked email address, they reset the Snap Store account credentials.
  4. Account takeover – They gain full control of the publisher’s account, including its download history and active user base.
  5. Malicious updates – They push malware through routine software updates.

SlowMist confirmed that two publisher domains, storewise.tech and vagueentertainment.com, were compromised using this vector. Applications tied to those accounts were modified to impersonate well-known crypto wallets.

Timeline of the Hijack Process

Step Date Action
1 Domain expires Original publisher loses control
2 Attackers re-register Domain ownership transferred
3 Credential reset Email link used to reset account
4 Account takeover Malicious updates pushed

Impact on Crypto Wallet Users

The attack is especially dangerous because it targets the very trust users place in official app stores. When a user updates a wallet, they expect the new version to be safe. Instead, they are led into a phishing trap.

  • Seed phrase theft: Attackers capture the phrase that grants full control over a wallet.
  • Unnoticed fund drain: Transfers occur automatically once the phrase is obtained.
  • Erosion of trust: Users may lose confidence in Linux app distribution channels.

Broader Trend in Supply-Chain Attacks

SlowMist’s findings align with a broader shift in crypto-related threats. According to CertiK data shared with {brand} in December, total crypto hack losses reached $3.3 billion in 2025, despite a decline in the number of incidents. Losses became concentrated in fewer but more damaging supply-chain attacks, which accounted for $1.45 billion across just two incidents.

The trend shows that as protocol-level security improves, attackers are moving toward higher-impact tactics that exploit trust relationships, software updates and third-party infrastructure. The Snap Store hijack is a prime example of this shift.

What Users and Developers Can Do

For Users

  • Verify the publisher: Check the publisher’s name and email address before installing or updating.
  • Use official sources: Download wallets directly from the developer’s website or a verified repository.
  • Avoid entering seed phrases: Legitimate wallets should not prompt for the full recovery phrase during an update.
  • Keep software up to date: While updates can be malicious, many legitimate updates patch security flaws.

For Developers

  • Secure domain registration: Keep domains under active monitoring and renew promptly.
  • Implement code signing: Sign updates with a private key that is stored securely.
  • Educate users: Provide clear warnings about entering recovery phrases.
  • Audit third-party dependencies: Ensure that any libraries or services used are trustworthy.

Key Takeaways

  • SlowMist has identified a new attack vector that hijacks Snap Store publisher accounts via expired domains.
  • Malicious updates masquerade as popular crypto wallets, tricking users into revealing seed phrases.
  • The attack is part of a larger trend toward supply-chain attacks that have caused $3.3 billion in losses in 2025.
  • Users should verify publisher identities and avoid entering recovery phrases during updates.
  • Developers must secure domain registrations and use code signing to protect their users.

By understanding the mechanics of this attack and taking proactive steps, both users and developers can mitigate the risk of falling victim to malicious updates in the Linux ecosystem.

About the Reporter

The information was reported by SlowMist and published by {brand}.

Share this post on:
Post read time 3 min read

Author: Fiona Z. Merriweather

View all posts by Fiona Z. Merriweather >

Related Posts

Reveals Bitcoin’s Gap-Fill Fails to Ignite Rally
Pet Care Services
Reveals Bitcoin’s Gap-Fill Fails to Ignite Rally
Bitcoin Slides Below $90,000 as Whales Dump $400M
Pet Care Services
Bitcoin Slides Below $90,000 as Whales Dump $400M
Reveals: Coinbase CEO Calls for Crypto Law Compromise
Pet Care Services
Reveals: Coinbase CEO Calls for Crypto Law Compromise

Leave a Reply

Your email address will not be published. Required fields are marked *