Linux users beware: Snap Store wallet app impersonated, hackers steal assets through domain hijacking

According to the latest news, the Snap Store application store on the Linux platform has been exposed to a serious security vulnerability. Hackers hijack developer accounts by taking over expired domains and implant malicious code into counterfeit versions of well-known crypto wallets such as Exodus, Ledger Live, Trust Wallet, and others. It has been confirmed that at least two developer accounts have been attacked. This is a carefully planned supply chain attack targeting crypto users.

Three Key Links in the Attack Chain

Step 1: Domain Hijacking to Take Over Accounts

Attackers monitor developer accounts associated with expired domains in the Snap Store, then register these expired domains. Using the email addresses associated with these domains, attackers can trigger password reset processes to fully take over the trusted publisher identities established over many years. This method is particularly effective because these accounts often have a large user base trusting them.

Confirmed hijacked domains include storewise[.]tech and vagueentertainment[.]com.

Step 2: Impersonating Well-Known Wallet Applications

After taking over accounts, attackers upload modified malicious applications disguised as trusted wallets like Exodus, Ledger Live, or Trust Wallet. The interfaces of these malicious apps are nearly indistinguishable from the genuine ones, making it difficult for ordinary users to tell real from fake.

Step 3: Inducing Users to Leak Seed Phrases

Malicious apps will ask users to input their “wallet recovery seed phrase.” Once users submit this sensitive information, the data is immediately transmitted to the attacker’s server, and the users’ digital assets are stolen.

Scope of Risks and Protective Recommendations

Immediate Action Checklist

• Check the source of installed wallet applications to confirm whether they were downloaded from the Snap Store
• Download wallet applications from official websites (not app stores)
• Never input wallet recovery seed phrases into any app unless it is the official wallet recovery process
• For wallets like Exodus, Ledger Live, Trust Wallet, it is recommended to uninstall the Snap Store version and switch to official channels
• If seed phrases have already been entered, transfer assets immediately to a new wallet

Why is the Snap Store Vulnerable to Attacks

The Snap Store is an application store for Linux systems. Compared to iOS and Android app stores, its security review mechanisms are relatively more lenient. This provides opportunities for attackers. Moreover, many developers are not cautious enough with domain renewal, leading to expired domains being registered by others. This vulnerability exposes weaknesses in the app store’s developer account binding verification process.

Summary

The danger of this incident lies in its combination of multiple attack vectors: domain hijacking, account takeover, application impersonation, and social engineering of users. Attackers do not directly intrude but spread malicious software through “legitimate” app store channels, greatly reducing user awareness of threats. For crypto users, the safest approach is to always obtain wallet applications from official channels and remain highly vigilant against any requests for seed phrase input. This also serves as a reminder for app stores and developers to strengthen account security verification mechanisms to prevent similar incidents from happening again.