news

Trusted Linux Snap Store Wallets Turn Malicious After Domain Takeovers

Nahid
Published: January 22, 2026
5 min read
Trusted Linux Snap Store Wallets Turn Malicious After Domain Takeovers

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Facebook
Instagram
LinkedIn
YouTube

TL;DR

  • SlowMist has flagged a new Linux-focused attack abusing trusted Snap Store apps to steal crypto recovery phrases

  • Attackers hijack old developer accounts by reclaiming expired domains tied to publisher emails

  • Fake updates impersonate wallets like Exodus, Ledger Live, and Trust Wallet

  • The campaign targets long-time Linux users who trust established publishers

  • Security researchers warn the current Snap Store trust model is no longer holding up

 

Linux users are often seen as the more cautious crowd in crypto. Fewer downloads, more terminal commands, and a general preference for open-source tools. That’s exactly why the latest warning from blockchain security firm SlowMist has raised eyebrows.

In a recent post on X, SlowMist’s chief information security officer, known as 23pds, highlighted a new attack vector spreading through Canonical’s Snap Store. The issue isn’t a flashy zero-day or a kernel exploit. It’s something more uncomfortable. Attackers are abusing trust specifically, trust built over years by legitimate Snap Store publishers.

Source

The attack hinges on expired domains. Some long-standing Snap Store developers originally registered their accounts using email addresses tied to custom domains. Over time, those domains expired and were abandoned. Threat actors noticed. By re-registering those expired domains, attackers were able to regain control of the associated email servers, reset developer account passwords, and quietly take over Snap Store listings that had existed for years.

From the user’s perspective, nothing looked wrong. The app name was familiar. The publisher had history. The update came through official channels. That’s where the damage starts.

How fake wallet updates steal everything

Once attackers gain access to a trusted publisher account, they push malicious updates through the Snap Store. These compromised packages are designed to impersonate well-known crypto wallets, including Exodus, Ledger Live, and Trust Wallet. The interfaces closely mirror the real applications, making detection difficult even for experienced users. After installation or update, the malicious app prompts users to enter their wallet recovery seed phrase. Some present it as a routine security check. Others claim a sync issue or account verification problem.

The result is the same. Once the recovery phrase is entered, it is exfiltrated to the attacker. Funds can then be drained silently, often without immediate signs of compromise. There’s no phishing link. No sketchy download site. Everything happens inside what appears to be a legitimate Linux app ecosystem. According to reporting from Risky Business, at least two Snap Store developer accounts have already been hijacked using this method. The compromised accounts were originally registered using email addresses tied to the domains storewise.tech and vagueentertainment.com.

This technique is often referred to as a domain resurrection attack. It’s not new in the broader security world, but its appearance inside the Snap Store ecosystem raises serious questions about how trust signals are handled for package distribution.

A campaign that didn’t start yesterday

This isn’t a one-off incident. Linux expert and former Canonical developer Alan Pope says the same group has been targeting Snap Store users for years, with a clear focus on cryptocurrency holders. The attackers have repeatedly published malicious crypto-related packages using different strategies. Some relied on typosquatted names that closely resemble legitimate wallets. Others distributed harmless-looking apps that later turned malicious during an update, catching users off guard. Based on observed behavior and infrastructure, Pope believes the group behind this campaign is located in Croatia. More importantly, he warns that the domain takeover method strikes at one of the few remaining trust anchors users rely on.

"The domain takeover angle is particularly concerning because it undermines one of the few trust signals users had: publisher longevity. Canonical needs to address this, whether that’s monitoring for domain expiry on publisher accounts, requiring additional verification for accounts that have been dormant, implementing mandatory two-factor authentication, or something else entirely. I don’t have all the answers, but I know the current situation isn’t sustainable." Source

That assessment cuts to the core of the issue. Longevity has always implied safety. A package that’s been around for years feels safer than something uploaded last week. This attack flips that assumption on its head.

Why this matters beyond Linux

At first glance, this may look like a niche Linux problem. In reality, it touches a much larger nerve in crypto security. Seed phrases remain the single point of failure for most self-custody users. Once exposed, there is no recovery process, no support ticket, and no rollback. Attacks that capture recovery phrases don’t need to break cryptography or compromise blockchains. They only need to convince a user to trust the wrong interface once.

What makes this campaign particularly dangerous is how ordinary it looks. No malware warnings or No browser pop-ups. Just a routine app update from a familiar source. It also highlights a broader issue with software distribution in crypto-adjacent environments. As more users rely on app stores, package managers, and automated updates, attackers are shifting away from obvious scams toward infrastructure-level trust abuse.

Closing Thoughts 

SlowMist’s warning isn’t just about one store or one operating system. It’s a reminder that security assumptions age faster than software. For now, Linux users are being advised to double-check wallet updates, avoid entering recovery phrases into desktop apps unless absolutely necessary, and treat any prompt for seed phrases as a red flag regardless of how trusted the source appears.

READ MORE: COTI Earn Season 3 Explained: Rewards, TPS, Missions, and How It Works

 

Related Topics

#Hacking#Wallet Hack#Malicious#Linux Snap Store

About the Project

Crypto News

About the Author

Nahid

Nahid

Nahid is a contributor at CotiNews from Bangladesh, covering developments across the COTI ecosystem. His work focuses on breaking down complex updates, technical concepts, and ecosystem news into clear, accessible stories for a wider audience.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.