Blockchain security firm SlowMist has identified a new attack method targeting Linux users, where attackers exploit trusted applications found in the Snap Store to steal crypto recovery seed phrases.

In a recent update on X, SlowMist’s Chief Information Security Officer, 23pds, noted that the attackers are utilizing expired domains to hijack long-established publisher accounts in the Snap Store, allowing them to send malicious updates through legitimate distribution channels.

The compromised applications masquerade as popular crypto wallets like Exodus, Ledger Live, and Trust Wallet, using similar interfaces to make them appear authentic. Upon installation or update, these harmful applications request users to input their wallet recovery phrases, enabling attackers to siphon credentials and deplete funds without the users being aware of the breach.

Attackers Utilizing Expired Domains to Capture Snap Store Publishers

The Snap Store serves as the official Linux application platform, distributing software packaged in ‘snap’ format, akin to Apple’s App Store or Microsoft Store. SlowMist revealed that the attack hinges on monitoring developer accounts associated with expired domains that were once linked to credible publishers.

Once a domain lapses, cybercriminals can register it again and utilize domain-related email addresses to prompt password resets for Snap Store accounts. According to SlowMist, this strategy permits attackers to discreetly seize control of verified publisher accounts with a track record of downloads and active users. Consequently, malicious code may be delivered via standard software updates instead of requiring complete reinstallations.

SlowMist confirmed that two publisher domains, namely storewise.tech and vagueentertainment.com, had been exploited using this method, with applications related to these accounts altered to impersonate famous crypto wallets.

Supply-Chain Attacks Increase as Crypto Threats Become More Advanced

This Snap Store attack represents a larger trend in cryptocurrency-related threats, focusing on attacking infrastructure and distribution avenues over merely compromising smart contracts. Data from CertiK shared with Cointelegraph highlighted that total losses from crypto hacks reached $3.3 billion in 2025, despite a significant reduction in individual incidents.

CertiK indicated that losses are becoming more concentrated, with fewer but more impactful supply-chain attacks leading to $1.45 billion in losses across merely two occurrences. This suggests that as security at the protocol level improves, attackers are gravitating toward methods with a higher impact, exploiting trusted relationships, software updates, and third-party infrastructures.