Crypto: Slowmist Flags Linux Snap Store Attack Targeting Crypto Seed Phrases

Attackers have hijacked trusted Snap Store publishers via expired domains, allowing malicious wallet updates to reach long-time Linux users.

Blockchain security company SlowMist flagged a new Linux-based attack vector that exploits trusted applications distributed through the Snap Store to steal users’ crypto recovery seed phrases.

In a post on X, SlowMist’s chief information security officer, 23pds, said attackers are abusing expired domains to hijack long-standing Snap Store publisher accounts and distribute malicious updates through official channels.

The compromised applications reportedly impersonate popular crypto wallets, including Exodus, Ledger Live and Trust Wallet, using interfaces that closely resemble legitimate software.

Once installed or updated, the malicious apps prompt users to enter wallet recovery phrases, allowing attackers to exfiltrate credentials and drain funds without users realizing they have been compromised.

The Snap Store is the official Linux app store used to distribute software packaged in a format called “snaps.” It is commonly considered Linux’s equivalent of Apple’s App Store on macOS and the Microsoft Store on Windows.

SlowMist said the attack relies on monitoring Snap Store developer accounts linked to domains that have expired but were previously associated with legitimate publishers.

Once a domain expires, attackers can re-register it and use domain-linked email addresses to reset Snap Store account credentials.

The SlowMist executive said the process allows attackers to quietly take control of established publisher accounts with existing download histories and active users. From there, malicious code can be pushed through routine software updates rather than fresh installations.

SlowMist confirmed that two publisher domains, namely “storewise[.]tech” and “vagueentertainment[.]com,” have been compromised using the attack vector. Applications tied to the accounts were reportedly modified to impersonate well-known crypto wallets.

Source: CoinTelegraph