Cybercriminals have compromised trusted Linux applications on the Snap Store by seizing expired domains, allowing them to push malware that steals cryptocurrency recovery phrases. Security experts from SlowMist and Ubuntu contributor Alan Pope highlighted the attack, which targets established publisher accounts to distribute malicious updates impersonating popular wallets. Canonical has removed the affected snaps, but calls for stronger safeguards persist.
Linux Snap Store targeted in sophisticated crypto theft scheme
Cyber attackers have exploited the Snap Store, Canonical's repository for Linux software packages, to distribute malware disguised as legitimate cryptocurrency wallets. By registering expired domains previously linked to genuine publishers, hackers gain access to dormant Snapcraft accounts and upload malicious updates that harvest users' wallet recovery phrases.
Alan Pope, a former Canonical developer and Ubuntu contributor, first warned about this tactic on January 21, 2026. He detailed how attackers took over domains like storewise.tech and vagueentertainment.com, using associated email servers to reset credentials. "The malicious snaps looked normal but were designed to harvest [crypto wallet] recovery phrases and send them to servers controlled by the attackers," Pope explained. By the time users notice issues, their funds are often drained.
Blockchain security firm SlowMist echoed these concerns in a post on X by chief information security officer 23pds. The firm noted that compromised apps mimic interfaces of popular wallets such as Exodus, Ledger Live, and Trust Wallet, prompting users to enter sensitive seed phrases during installation or updates. "Attackers are abusing expired domains to hijack long-standing Snap Store publisher accounts and distribute malicious updates through official channels," 23pds stated.
This method builds on prior Snap Store abuses, including fake accounts and bait-and-switch tactics with innocuous app names like lemon-throw. SlowMist highlighted the supply-chain nature of the attack, aligning with 2025 trends where crypto hacks caused $3.3 billion in losses, per CertiK data, with supply-chain incidents accounting for $1.45 billion.
Canonical promptly removed the malicious snaps after reports from Pope and others. However, Pope criticized delays in takedowns, which can take days, and urged better verification: monitoring domain expirations, mandatory two-factor authentication, and checks for dormant accounts. He also launched SnapScope, a web tool to scan snaps for vulnerabilities.
Users are advised to download crypto wallets directly from official sites and enable 2FA on accounts. Publishers should renew domains promptly. Help Net Security contacted Canonical for planned enhancements, with updates pending.
This incident underscores growing threats to software distribution channels, eroding trust in app stores as attackers favor high-impact exploits over direct code vulnerabilities.
