Blockchain security firm SlowMist has reported a recent Linux-based attack vector that leverages trusted apps distributed through the Snap Store to steal users’ cryptocurrency recovery seed phrases.
In a post on X, SlowMist’s director of information security from 23 pds: he said attackers employ expired domains to hijack existing Snap Store publisher accounts and distribute malicious updates through official channels.
The compromised apps reportedly impersonate popular cryptocurrency wallets, including Exodus, Ledger Live, and Trust Wallet, using interfaces that closely resemble legitimate software.
Once installed or updated, malicious apps prompt users to enter wallet recovery phrases, allowing attackers to extort credentials and siphon funds without users being aware that they have been compromised.
Attackers employ expired domains to kidnap Snap Store publishers
Snap Store is the official Linux application store used to distribute software in a format called “snaps”. It is widely considered to be the Linux equivalent of the Apple App Store on macOS and the Microsoft Store on Windows.
SlowMist says the attack involves monitoring Snap Store developer accounts associated with expired domains but previously associated with legitimate publishers.
Once a domain has expired, attackers can re-register it and employ the email addresses associated with the domain to reset the Snap Store account credentials.
The SlowMist executive said this process allows attackers to silently take control of established publisher accounts with existing download history and dynamic users. From there, malicious code can be pushed through routine software updates rather than recent installations.
SlowMist confirmed that the two publisher domains, namely “storewise[.]tech” and “obscure entertainment[.]com” were hacked using the attack vector. Apps associated with the accounts were reportedly modified to impersonate well-known cryptocurrency wallets.
Related: Expert warns that 80% of hacked crypto projects will never “fully recover”.
Supply chain attacks are on the rise as cryptographic exploits become more sophisticated
The Snap Store attack vector is part of a broader shift in cryptocurrency threats, where attackers are increasingly targeting infrastructure and distribution channels rather than astute contract code.
CertiK data shared with Cointelegraph in December showed that total cryptocurrency hack losses reached $3.3 billion in 2025, despite a acute decline in the number of individual incidents.
CertiK said losses were concentrated in fewer but more damaging supply chain attacks, which resulted in $1.45 billion in losses in just two incidents.
The trend suggests that as protocol-level security improves, attackers are moving toward higher-impact tactics that leverage relationships of trust, software updates, and third-party infrastructure.
Warehouse: Meet the onchain cryptocurrency detectives who fight crime better than cops
