{"id":93399,"date":"2026-01-21T17:16:01","date_gmt":"2026-01-21T14:16:01","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=93399"},"modified":"2026-01-21T17:20:15","modified_gmt":"2026-01-21T14:20:15","slug":"slowmist-identifies-future-attack-in-linux-store","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/slowmist-identifies-future-attack-in-linux-store\/","title":{"rendered":"SlowMist Identifies &#8216;Future Attack&#8217; in Linux Store"},"content":{"rendered":"<p>In a novel attack, cybercriminals exploit trust in the official Snap Store on Linux to steal seed phrases from cryptocurrency wallets. This was reported by SlowMist&#8217;s head of information security, known as 23pds.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zh\" dir=\"ltr\">Linux users beware: A new attack has erupted in the Snap Store, with expired domains becoming hacker backdoors to steal users&#8217; crypto assets.<br \/>Compromised apps disguise themselves as well-known crypto wallets like Exodus, Ledger Live, or Trust Wallet, tricking users into entering their &#8220;wallet recovery mnemonic,&#8221; leading to theft of funds.<a href=\"https:\/\/t.co\/PaHiXCbfUU\">https:\/\/t.co\/PaHiXCbfUU<\/a><\/p>\n<p>\u2014 23pds (\u5c71\u54e5) (@im23pds) <a href=\"https:\/\/twitter.com\/im23pds\/status\/2013823659497144474?ref_src=twsrc%5Etfw\">January 21, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In this attack, cybercriminals register expired domains associated with developer accounts in the Snap Store. This allows them to stealthily gain control over accounts with history and active users.<\/p>\n<p>Subsequently, the fraudsters distribute updates through official channels for software already installed on victims&#8217; devices, which contain malicious code.<\/p>\n<p>The compromised applications masquerade as popular crypto wallets\u2014Exodus, Ledger Live, and Trust Wallet\u2014and prompt users to enter a recovery mnemonic phrase, which is then sent to the attackers.<\/p>\n<p>According to SlowMist, two domains\u2014&#8221;storewise[.]tech&#8221; and &#8220;vagueentertainment[.]com&#8221;\u2014have been compromised using this scheme.<\/p>\n<p>The attack vector described by specialists reflects a general shift in cyber threats to the crypto industry. Instead of direct attempts to compromise smart contracts, attackers increasingly target infrastructure and software distribution channels, exploiting users&#8217; trust in official sources.<\/p>\n<p>In late December, hackers <a href=\"https:\/\/forklog.com\/en\/news\/trust-wallet-users-suffer-7-million-hack\">embedded<\/a> malicious code in a Trust Wallet update for Chrome. The attack <a href=\"https:\/\/forklog.com\/en\/news\/trust-wallet-reveals-details-of-8-5-million-hack\">affected<\/a> 2,520 addresses and resulted in losses of $8.5 million.<\/p>\n<p>It was later discovered that the breach was due to a large-scale supply chain attack on Sha1-Hulud, recorded back in November. At that time, hackers gained access to developers&#8217; sensitive data on GitHub and the <span data-descr=\"application programming interface\" class=\"old_tooltip\">API<\/span> key for the Chrome Web Store.<\/p>\n<p>In 2025, hackers <a href=\"https:\/\/forklog.com\/en\/news\/losses-from-crypto-hacks-reached-3-4bn-in-2025\">stole<\/a> over $3.4 billion in cryptocurrency, as reported by Chainalysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a novel attack, cybercriminals exploit trust in the official Snap Store on Linux to steal seed phrases from cryptocurrency wallets. This was reported by SlowMist&#8217;s head of information security, known as 23pds. Linux users beware: A new attack has erupted in the Snap Store, with expired domains becoming hacker backdoors to steal users&#8217; crypto assets. Compromised apps disguise themselves as well-known crypto wallets like Exodus, Ledger Live, or Trust Wallet, tricking users into entering their &#8220;wallet recovery mnemonic,&#8221; leading to theft of funds. https:\/\/t.co\/PaHiXCbfUU \u2014 23pds (\u5c71\u54e5) (@im23pds) January 21, 2026 In this attack, cybercriminals register expired domains associated with developer accounts in [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":93400,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Cybercriminals exploit Snap Store trust to steal crypto wallet seed phrases.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1111,1246],"class_list":["post-93399","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-cybersecurity","tag-scammers"],"aioseo_notices":[],"amp_enabled":true,"views":"219","promo_type":"1","layout_type":"1","short_excerpt":"Cybercriminals exploit Snap Store trust to steal crypto wallet seed phrases.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=93399"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93399\/revisions"}],"predecessor-version":[{"id":93401,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93399\/revisions\/93401"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/93400"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=93399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=93399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=93399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}