Blockchain safety firm SlowMist flagged a brand new Linux-based assault vector that exploits trusted purposes distributed by way of the Snap Retailer to steal customers’ crypto restoration seed phrases.
In a submit on X, SlowMist’s chief data safety officer, 23pds, said attackers are abusing expired domains to hijack long-standing Snap Retailer writer accounts and distribute malicious updates by way of official channels.
The compromised purposes reportedly impersonate in style crypto wallets, together with Exodus, Ledger Reside and Belief Pockets, utilizing interfaces that carefully resemble authentic software program.
As soon as put in or up to date, the malicious apps immediate customers to enter pockets restoration phrases, permitting attackers to exfiltrate credentials and drain funds with out customers realizing they’ve been compromised.
Attackers use expired domains to hijack Snap Retailer publishers
The Snap Retailer is the official Linux app retailer used to distribute software program packaged in a format referred to as “snaps.” It’s generally thought-about Linux’s equal of Apple’s App Retailer on macOS and the Microsoft Retailer on Home windows.
SlowMist stated the assault depends on monitoring Snap Retailer developer accounts linked to domains which have expired however have been beforehand related to authentic publishers.
As soon as a site expires, attackers can re-register it and use domain-linked electronic mail addresses to reset Snap Retailer account credentials.
The SlowMist govt stated the method permits attackers to quietly take management of established writer accounts with current obtain histories and energetic customers. From there, malicious code might be pushed by way of routine software program updates quite than recent installations.
SlowMist confirmed that two writer domains, specifically “storewise[.]tech” and “vagueentertainment[.]com,” have been compromised utilizing the assault vector. Purposes tied to the accounts have been reportedly modified to impersonate well-known crypto wallets.
Associated: 80% of hacked crypto initiatives by no means ‘totally get well,’ skilled warns
Provide-chain assaults develop as crypto exploits change into extra subtle
The Snap Retailer assault vector aligns with a broader shift in crypto-related threats, the place attackers are more and more concentrating on infrastructure and distribution channels quite than sensible contract code.
CertiK knowledge shared with Cointelegraph in December confirmed that complete crypto hack losses reached $3.3 billion in 2025, regardless of a pointy decline within the variety of particular person incidents.
CertiK stated losses grew to become concentrated in fewer however extra damaging supply-chain assaults, which accounted for $1.45 billion in losses throughout simply two incidents.
The pattern means that as protocol-level safety improves, attackers are shifting in direction of higher-impact techniques that exploit belief relationships, software program updates and third-party infrastructure.
Journal: Meet the onchain crypto detectives preventing crime higher than the cops
