In a novel attack, cybercriminals exploit trust in the official Snap Store on Linux to steal seed phrases from cryptocurrency wallets. This was reported by SlowMist’s head of information security, known as 23pds.
Linux users beware: A new attack has erupted in the Snap Store, with expired domains becoming hacker backdoors to steal users’ crypto assets.
Compromised apps disguise themselves as well-known crypto wallets like Exodus, Ledger Live, or Trust Wallet, tricking users into entering their “wallet recovery mnemonic,” leading to theft of funds.https://t.co/PaHiXCbfUU— 23pds (山哥) (@im23pds) January 21, 2026
In this attack, cybercriminals register expired domains associated with developer accounts in the Snap Store. This allows them to stealthily gain control over accounts with history and active users.
Subsequently, the fraudsters distribute updates through official channels for software already installed on victims’ devices, which contain malicious code.
The compromised applications masquerade as popular crypto wallets—Exodus, Ledger Live, and Trust Wallet—and prompt users to enter a recovery mnemonic phrase, which is then sent to the attackers.
According to SlowMist, two domains—”storewise[.]tech” and “vagueentertainment[.]com”—have been compromised using this scheme.
The attack vector described by specialists reflects a general shift in cyber threats to the crypto industry. Instead of direct attempts to compromise smart contracts, attackers increasingly target infrastructure and software distribution channels, exploiting users’ trust in official sources.
In late December, hackers embedded malicious code in a Trust Wallet update for Chrome. The attack affected 2,520 addresses and resulted in losses of $8.5 million.
It was later discovered that the breach was due to a large-scale supply chain attack on Sha1-Hulud, recorded back in November. At that time, hackers gained access to developers’ sensitive data on GitHub and the API key for the Chrome Web Store.
In 2025, hackers stole over $3.4 billion in cryptocurrency, as reported by Chainalysis.