A new and sophisticated supply-chain attack is targeting Linux users by exploiting trusted applications in Canonical's Snap Store to steal cryptocurrency recovery phrases and drain funds. Blockchain security firm SlowMist issued a warning, detailing how attackers hijack long-established publisher accounts by monitoring and purchasing expired domain names associated with those accounts.
Once a target domain expires, attackers re-register it and use the linked email address to reset credentials for the Snap Store publisher account. This grants them control without raising immediate suspicion, allowing them to push malicious updates to existing, trusted applications. The compromised apps are disguised as legitimate and popular crypto wallets, including Exodus, Ledger Live, and Trust Wallet, with interfaces nearly indistinguishable from the genuine versions.
Upon launching, the malicious software connects to a remote server and prompts the user to enter their wallet recovery seed phrase. This sensitive information is instantly transmitted to the attackers' server, leading to the complete theft of funds. SlowMist's Chief Information Security Officer, 23pds, identified at least two compromised publisher domains: storewise[.]tech and vagueentertainment[.]com.
This attack highlights a significant shift in crypto-focused cyber threats, moving from protocol-level exploits to compromising trusted software distribution channels. According to data from CertiK, supply-chain attacks accounted for massive losses in 2025, with just two incidents resulting in $1.45 billion stolen. The campaign against Snap Store users is believed to have been active for approximately two years, with attackers suspected to be based in Croatia.
The incident underscores a broader industry vulnerability known as "internet rot," where developers fail to update account information across platforms. Similar domain resurrection attacks have affected GitHub, PyPI, and npm. Security experts, including former Canonical developer Alan Pope, are urging Canonical to implement safeguards such as monitoring domain expiry, requiring additional verification for dormant accounts, and enforcing mandatory two-factor authentication.
