SlowMist Flags Snap Store Attack Targeting Crypto Seed Phrases

TheNewsCryptoPublicado a 2026-01-21Actualizado a 2026-01-21

Resumen

Blockchain security firm SlowMist has identified a new Linux-based threat targeting cryptocurrency users through the Snap Store. Attackers hijack trusted publisher accounts by exploiting expired domains, then push malicious updates to popular wallet apps like Exodus, Ledger Live, and Trust Wallet. These fake apps prompt users to enter their recovery phrases, which are then stolen, enabling attackers to drain funds. This supply-chain attack exploits user trust in official update channels, making it highly effective. SlowMist warns users to verify publishers and avoid entering seed phrases on unfamiliar platforms, highlighting a growing trend of infrastructure-focused attacks in crypto security.

Blockchain security firm SlowMist has flagged a new Linux-based threat that targets crypto recovery phrases by exploiting trusted apps distributed through the Snap Store. The company warned that attackers are hijacking long-standing Snap Store publisher accounts and pushing malicious wallet updates through official distribution channels, putting long-time Linux users at risk.

In a post on X, SlowMist chief information security officer 23pds said attackers are abusing expired domains linked to legitimate Snap Store publishers. After regaining control of those domains, the attackers reset account credentials, take over trusted developer accounts, and publish malware disguised as wallet software updates. This tactic gives the attack a dangerous advantage: users often trust updates from established publishers and install them without suspicion.

Once the malicious apps land on a victim’s system, they prompt users to enter crypto wallet recovery phrases. The malware then exfiltrates those phrases, allowing attackers to drain wallets quickly, often before the victim realizes anything went wrong.

Attackers hijack Snap Store publishers using expired domains

The Snap Store is the official app store for Linux, used for the distribution of software that is packaged as “snaps.” It is considered a trusted source by many users, just like the App Store or Microsoft Store, as it provides verified publishers, easy updates, and a centralized distribution.

SlowMist said attackers are targeting publisher accounts tied to domains that have expired. Once a domain expires, criminals can re-register it and gain access to domain-linked email addresses. From there, they can initiate password resets and seize control of Snap Store developer accounts.

This method enables attackers to compromise publishers with active users and existing download histories. Rather than depending on victims to download the malicious new apps, they inject the malware into the regular updates. This supply chain tactic increases the success rate because users are more likely to accept updates and not check all the changes.

SlowMist has identified at least two domains associated with the compromised publisher accounts: “storewise[.]tech” and “vagueentertainment[.]com.” Once the attackers hijacked the accounts, they allegedly used the apps to impersonate popular crypto wallet brands.

Fake wallet apps mimic trusted brands

According to SlowMist, the affected Snap Store apps are clones of popular wallet applications like Exodus, Ledger Live, and Trust Wallet. Attackers use user interfaces that closely resemble legitimate applications, which increases credibility and reduces suspicion.

These apps, after being installed or updated, will ask the user to input their wallet recovery phrase with the intention of wallet setup, sync, or account verification. After the user has provided the wallet recovery phrase, the attacker can use this phrase to restore the wallet and drain its funds without needing any further access to the victim’s device.

This approach remains very effective because seed phrases provide full control of the assets. Even the strongest passwords and device security cannot protect funds once hackers possess the recovery phrase.

Supply-chain hacks grow more damaging

The incident at the Snap Store is part of a larger trend in crypto security, where attackers are moving from exploiting protocols to compromising infrastructure. Instead of attacking smart contracts directly, criminals increasingly target trusted software distribution systems, update channels, and third-party service providers.

CertiK data shared with the media house in December showed crypto hack losses reached $3.3 billion in 2025, even though the number of incidents declined. According to CertiK, the losses were more concentrated in fewer but more serious supply chain events, with $1.45 billion in losses being attributed to only two major incidents.

This trend indicates that attackers are optimizing for scale and impact. With the improvement of DeFi security at the smart contract level, attackers target the weakest links, apps, publishers, and update infrastructure, where trust is the biggest vulnerability.

What users should watch next?

For Linux users who keep crypto, the wallet software download and update processes must be done with extra care. Users need to verify the identity of the publishers, check the official download sources, and avoid entering recovery phrases on unfamiliar platforms. Security teams may also need to monitor Snap Store listings more closely, especially when there are sudden changes in the ownership of publishers.

The takeaway from the SlowMist alert is clear: the greatest danger now often comes from trusted sources, not the obvious phishing scams.

Highlighted Crypto News:

Tom Lee Warns Crypto Markets Could Face Painful Correction in 2026

Preguntas relacionadas

QWhat is the new threat flagged by SlowMist that targets crypto recovery phrases?

ASlowMist has flagged a new Linux-based threat that targets crypto recovery phrases by exploiting trusted apps distributed through the Snap Store. Attackers hijack long-standing publisher accounts and push malicious wallet updates.

QHow do attackers gain control of trusted Snap Store publisher accounts?

AAttackers abuse expired domains linked to legitimate publishers. They re-register the expired domains, gain access to domain-linked email addresses, reset account credentials, and take over the trusted developer accounts.

QWhich popular crypto wallet brands are being impersonated by the malicious apps in this attack?

AThe malicious apps are clones that impersonate popular crypto wallet brands like Exodus, Ledger Live, and Trust Wallet.

QWhy are supply-chain attacks like the one on the Snap Store becoming more damaging according to the article?

ASupply-chain attacks are becoming more damaging because attackers are targeting trusted software distribution systems and update channels, leading to fewer but more serious incidents with concentrated losses, as seen in the $1.45 billion attributed to just two major events in 2025.

QWhat precautions should Linux users take to protect themselves from such threats?

ALinux users should verify the identity of publishers, check official download sources, avoid entering recovery phrases on unfamiliar platforms, and monitor Snap Store listings for sudden changes in publisher ownership.

Lecturas Relacionadas

Anthropic Cries Wolf: Is the AGI Threat Real, or Just an IPO Story?

Anthropic has published an article titled "When AI builds itself," discussing the emerging concept of "recursive self-improvement," where AI begins to actively participate in designing, training, testing, and optimizing its own subsequent versions. The company presents internal data showing that by May 2026, over 80% of code merged into its codebase was written by Claude, its AI model. Claude's capabilities have expanded to handling complex, open-ended engineering tasks, achieving a 76% success rate in such areas, and even contributing to research processes, such as optimizing code performance and conducting AI safety experiments. Anthropic outlines an evolution from human-driven development to AI-assisted workflows, culminating in the current stage where AI agents can autonomously write, run, and delegate code. The company cautions that the path toward a "closed loop," where AI continuously improves itself, is becoming visible. It calls for coordinated global mechanisms to potentially slow or pause frontier AI development to allow safety research and societal structures to catch up. However, the timing of this warning coincides with Anthropic's preparations for an IPO, framing the narrative not just as a safety concern but also as a demonstration of Claude's advanced capabilities and its integral role in accelerating Anthropic's own R&D—creating a potential "flywheel" effect for competitive advantage. This contrasts with OpenAI's recent, more policy-oriented discussion of the same risks, highlighting the competitive dynamics in the AI industry as companies position themselves in both the technological and regulatory landscape.

marsbitHace 15 min(s)

Anthropic Cries Wolf: Is the AGI Threat Real, or Just an IPO Story?

marsbitHace 15 min(s)

Coinbase Targets Crypto Crime, Freezing $3M Linked To Scam Operations

Coinbase froze over $3 million in cryptocurrency linked to Southeast Asian scam networks as part of a multi-agency "Disruption Week" campaign. The operation, coordinated by the DOJ's Scam Center Strike Force, involved companies like Meta, Microsoft, and Starlink, and disrupted over 1.4 million scam accounts. The DOJ noted that investment fraud, including "pig butchering" scams, is among the fastest-growing threats, with crypto-related scams causing billions in losses. This action follows other recent crackdowns targeting scam infrastructure globally. Coinbase highlighted that blockchain provides a permanent transaction record, aiding investigations and countering the narrative that crypto is solely a tool for crime.

bitcoinistHace 20 min(s)

Coinbase Targets Crypto Crime, Freezing $3M Linked To Scam Operations

bitcoinistHace 20 min(s)

BIT Research: ETF Purchases Have Slowed, Strategy (MicroStrategy) Has Slowed, What Else Can Drive Bitcoin's Rise?

Market Refocus on Inflation and Rate Expectations Weighs on Bitcoin Currently, the market is in a phase of macro-repricing dominated by inflation and interest rate expectations. Bitcoin, which previously benefited from easy liquidity and low inflation, is seeing its core bullish drivers weaken. These drivers were market expectations for interest rate cuts and strong inflows from Bitcoin ETFs and institutions like MicroStrategy (referred to as "Strategy" in the text). The logic has shifted. Recent high inflation data (e.g., CPI hitting 3.8% in a May 2026 report) has caused the market to sharply reduce its rate cut expectations for 2025 and even price in potential hikes. This is a key constraint for Bitcoin, as it lacks cash flows and is highly sensitive to rate expectations. Concurrently, institutional capital flows have slowed significantly. Following the hot CPI data, Bitcoin ETFs saw accelerated outflows, with around $4.3 billion leaving over a period. MicroStrategy's ability to keep adding substantial Bitcoin to its balance sheet is also diminishing. Together, ETF and MicroStrategy holdings total roughly $110 billion, but their momentum as growth engines is cooling. In summary, Bitcoin's current pressure stems not from its own fundamentals but from a changing macro environment. As long as inflation stays elevated, Bitcoin is likely to remain in a consolidating phase. However, historically, inflation eventually peaks. Once it recedes and rate cut expectations rebuild, institutional capital could return, potentially fueling a new and more robust recovery phase for Bitcoin.

marsbitHace 23 min(s)

BIT Research: ETF Purchases Have Slowed, Strategy (MicroStrategy) Has Slowed, What Else Can Drive Bitcoin's Rise?

marsbitHace 23 min(s)

Earning 1000 Trillion in Half a Year, 'Pocketing' 20 Million per Capita: This Round of Wealth Creation in the Korean Stock Market is Unprecedented in Scale

The South Korean stock market is experiencing an unprecedented wealth surge in 2026, with household equity and fund asset values soaring by over 1,000 trillion KRW (~$730bn) year-to-date. This translates to an average per capita wealth increase of roughly 20 million KRW, fueled by a historic 109% rally in the KOSPI index. The boom is driven by three converging forces: an AI-driven semiconductor supercycle boosting giants like Samsung and SK Hynix; the government's "Value-Up" market reforms addressing long-standing corporate governance issues; and aggressive real estate regulations that have locked capital within financial markets, preventing profits from flowing back into property. This has triggered a wealth effect, boosting high-end consumption significantly. However, the gains are highly concentrated. The two semiconductor behemoths account for over half the index's value, but retail investors own relatively low stakes in them, systematically missing the biggest rallies. Wealth and consumption benefits are skewed towards luxury goods and imported cars, bypassing mainstream retail. Further risks stem from excessive leverage, with high trading volume in leveraged ETFs, and a market sentiment heavily reliant on the AI sector's fortunes and speculative rumors. While this cycle marks a potential shift from real estate to equities as a primary wealth generator for Koreans, its sustainability, amid structural imbalances and leverage, remains a critical test.

marsbitHace 28 min(s)

Earning 1000 Trillion in Half a Year, 'Pocketing' 20 Million per Capita: This Round of Wealth Creation in the Korean Stock Market is Unprecedented in Scale

marsbitHace 28 min(s)

Behind ZEC's Over 30% Plunge: An 'Unlimited Minting' Vulnerability with No Way to Prove if It Was Ever Exploited

A critical vulnerability was discovered in Zcash's Orchard privacy pool, allowing for the theoretical creation of undetectable counterfeit ZEC. Researcher Taylor Hornby found the flaw on May 29th, 2024, within the Orchard circuit's cryptographic constraints, which could let an attacker bypass asset conservation rules. Although a rapid emergency fix was deployed within days via a coordinated soft and hard fork, a core uncertainty remains: due to Orchard's privacy features, it is impossible to cryptographically prove whether this "unlimited mint" flaw was exploited in the nearly four years since the pool's 2022 launch. This uncertainty, rather than the patched flaw itself, triggered a market panic, causing ZEC's price to drop over 30%. While the Zcash Foundation stated no evidence of exploitation was found, independent entity Shielded Labs emphasized the impossibility of definitively proving no counterfeit ZEC was ever created. The incident highlights the unique trust challenge in privacy systems. To address this, developers are proposing a new network upgrade with enhanced auditing to allow verifiable proof of supply integrity. Notably, the researcher utilized the newly released AI model Claude Opus 4.8 as a tool during the security review, signaling the growing role of advanced AI in uncovering complex cryptographic vulnerabilities.

marsbitHace 30 min(s)

Behind ZEC's Over 30% Plunge: An 'Unlimited Minting' Vulnerability with No Way to Prove if It Was Ever Exploited

marsbitHace 30 min(s)

Trading

Spot

Futuros