Hackers hijack Snap Store accounts to steal crypto from Linux users

Linux users face a new threat as cybercriminals exploit a critical vulnerability in Canonical’s Snap Store, hijacking trusted developer accounts to distribute cryptocurrency-stealing malware disguised as legitimate wallet applications.

SlowMist’s chief information security officer, 23pds, who has the X handle @im23pds, warned that attackers are monitoring developer accounts whose associated domain names have expired.

How does the Snap Store attack work?

23pds wrote, “Linux users beware: A new type of attack is raging in Snap Store — expired domains have been taken over by hackers and turned into backdoors to steal users’ crypto assets.

The tampered applications are disguised as well-known crypto wallets such as Exodus, Ledger Live, or Trust Wallet, tricking users into entering their ‘wallet recovery seed phrase,’ resulting in complete theft of funds.”

Once a target domain expires and becomes available for registration, the attackers immediately purchase it, then use the email address linked to that domain to trigger password resets on the Snap Store. This grants them complete control over long-established, trusted publisher identities without raising immediate suspicion.

At least two developer accounts have been confirmed as compromised using this method, with domains storewise.tech and vagueentertainment.com falling into the attackers’ hands.

The malicious actors, believed to be based in Croatia according to Alan Pope, a former Canonical developer and Ubuntu contributor, have been conducting campaigns against Snap Store users for approximately two years.

The domain takeover is the latest and most concerning evolution of the action of these bad actors, as it now means that “legitimate software installed and trusted by users for years could have malicious code injected by hackers through official update channels overnight.”

According to 23pds, “The tampered applications are usually disguised as well-known crypto wallets such as Exodus, Ledger Live, or Trust Wallet, with interfaces almost indistinguishable from the genuine versions.”

He stated, “After the app launches, it first connects to a remote server to verify the network, then immediately prompts the user to enter their ‘wallet recovery mnemonic phrase.’ Once the user submits it, these sensitive details are instantly transmitted to the attacker’s server, resulting in the theft of funds.”

Victims often discover that their funds have been stolen before noticing that anything is wrong because the attack exploits long-standing trust relationships.

What are major platforms doing to curtail domain resurrection attacks?

GitHub, PyPI, and npm have all experienced similar domain resurrection attacks. A 2022 academic study identified over 2,800 npm developer accounts configured with email addresses whose domains had subsequently expired, highlighting the scale of potential vulnerability.

In June 2025, the Python security team removed more than 1,800 expired email addresses from developer accounts, forcing developers to re-verify their credentials with active domains upon their next login. 

The problem stems from what security experts call internet or link rot, where developers moving between jobs or email providers fail to update account information across all platforms, creating exploitable security gaps.

Pope stated that Canonical needs to address the issue by implementing safeguards, which could be monitoring domain expiry on publisher accounts, requiring additional verification for dormant accounts, implementing mandatory two-factor authentication, or other measures.

Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.