SlowMist flags Linux Snap Store attack targeting crypto seed phrases

Blockchain security company SlowMist flagged a new Linux-based attack vector that exploits trusted applications distributed through the Snap Store to steal users’ crypto recovery seed phrases.

In a post on X, SlowMist’s chief information security officer, 23pds, said attackers are abusing expired domains to hijack long-standing Snap Store publisher accounts and distribute malicious updates through official channels.

The compromised applications reportedly impersonate popular crypto wallets, including Exodus, Ledger Live and Trust Wallet, using interfaces that closely resemble legitimate software.

Once installed or updated, the malicious apps prompt users to enter wallet recovery phrases, allowing attackers to exfiltrate credentials and drain funds without users realizing they have been compromised.

Attackers use expired domains to hijack Snap Store publishers

The Snap Store is the official Linux app store used to distribute software packaged in a format called “snaps.” It is commonly considered Linux’s equivalent of Apple’s App Store on macOS and the Microsoft Store on Windows.

SlowMist said the attack relies on monitoring Snap Store developer accounts linked to domains that have expired but were previously associated with legitimate publishers.

Once a domain expires, attackers can re-register it and use domain-linked email addresses to reset Snap Store account credentials.

The SlowMist executive said the process allows attackers to quietly take control of established publisher accounts with existing download histories and active users. From there, malicious code can be pushed through routine software updates rather than fresh installations.

SlowMist confirmed that two publisher domains, namely “storewise[.]tech” and “vagueentertainment[.]com,” have been compromised using the attack vector. Applications tied to the accounts were reportedly modified to impersonate well-known crypto wallets.

Supply-chain attacks grow as crypto exploits become more sophisticated

The Snap Store attack vector aligns with a broader shift in crypto-related threats, where attackers are increasingly targeting infrastructure and distribution channels rather than smart-contract code.

CertiK data shared with Cointelegraph in December showed that total crypto hack losses reached $3.3 billion in 2025, despite a sharp decline in the number of individual incidents.

CertiK said losses became concentrated in fewer but more damaging supply-chain attacks, which accounted for $1.45 billion in losses across just two incidents.

The trend suggests that as protocol-level security improves, attackers are shifting toward higher-impact tactics that exploit trust relationships, software updates and third-party infrastructure.

[embedded content]