Blockchain security firm SlowMist has flagged a new Linux-based threat that targets crypto recovery phrases by exploiting trusted apps distributed through the Snap Store. The company warned that attackers are hijacking long-standing Snap Store publisher accounts and pushing malicious wallet updates through official distribution channels, putting long-time Linux users at risk.
In a post on X, SlowMist chief information security officer 23pds said attackers are abusing expired domains linked to legitimate Snap Store publishers. After regaining control of those domains, the attackers reset account credentials, take over trusted developer accounts, and publish malware disguised as wallet software updates. This tactic gives the attack a dangerous advantage: users often trust updates from established publishers and install them without suspicion.
Once the malicious apps land on a victim’s system, they prompt users to enter crypto wallet recovery phrases. The malware then exfiltrates those phrases, allowing attackers to drain wallets quickly, often before the victim realizes anything went wrong.
Attackers hijack Snap Store publishers using expired domains
The Snap Store is the official app store for Linux, used for the distribution of software that is packaged as “snaps.” It is considered a trusted source by many users, just like the App Store or Microsoft Store, as it provides verified publishers, easy updates, and a centralized distribution.
SlowMist said attackers are targeting publisher accounts tied to domains that have expired. Once a domain expires, criminals can re-register it and gain access to domain-linked email addresses. From there, they can initiate password resets and seize control of Snap Store developer accounts.
This method enables attackers to compromise publishers with active users and existing download histories. Rather than depending on victims to download the malicious new apps, they inject the malware into the regular updates. This supply chain tactic increases the success rate because users are more likely to accept updates and not check all the changes.
SlowMist has identified at least two domains associated with the compromised publisher accounts: “storewise[.]tech” and “vagueentertainment[.]com.” Once the attackers hijacked the accounts, they allegedly used the apps to impersonate popular crypto wallet brands.
Fake wallet apps mimic trusted brands
According to SlowMist, the affected Snap Store apps are clones of popular wallet applications like Exodus, Ledger Live, and Trust Wallet. Attackers use user interfaces that closely resemble legitimate applications, which increases credibility and reduces suspicion.
These apps, after being installed or updated, will ask the user to input their wallet recovery phrase with the intention of wallet setup, sync, or account verification. After the user has provided the wallet recovery phrase, the attacker can use this phrase to restore the wallet and drain its funds without needing any further access to the victim’s device.
This approach remains very effective because seed phrases provide full control of the assets. Even the strongest passwords and device security cannot protect funds once hackers possess the recovery phrase.
Supply-chain hacks grow more damaging
The incident at the Snap Store is part of a larger trend in crypto security, where attackers are moving from exploiting protocols to compromising infrastructure. Instead of attacking smart contracts directly, criminals increasingly target trusted software distribution systems, update channels, and third-party service providers.
CertiK data shared with the media house in December showed crypto hack losses reached $3.3 billion in 2025, even though the number of incidents declined. According to CertiK, the losses were more concentrated in fewer but more serious supply chain events, with $1.45 billion in losses being attributed to only two major incidents.
This trend indicates that attackers are optimizing for scale and impact. With the improvement of DeFi security at the smart contract level, attackers target the weakest links, apps, publishers, and update infrastructure, where trust is the biggest vulnerability.
What users should watch next?
For Linux users who keep crypto, the wallet software download and update processes must be done with extra care. Users need to verify the identity of the publishers, check the official download sources, and avoid entering recovery phrases on unfamiliar platforms. Security teams may also need to monitor Snap Store listings more closely, especially when there are sudden changes in the ownership of publishers.
The takeaway from the SlowMist alert is clear: the greatest danger now often comes from trusted sources, not the obvious phishing scams.
Highlighted Crypto News:
Tom Lee Warns Crypto Markets Could Face Painful Correction in 2026
