Linux Users Beware: Hackers Hijack Snap Store Accounts to Push Crypto-Stealing Malware
Linux systems face a new breed of digital pickpocket—attackers are commandeering legitimate Snap Store developer accounts to push malware that empties cryptocurrency wallets.
How the Heist Works
The scheme bypasses traditional security checks by exploiting trusted publisher status. Once an attacker gains control of a verified account, they upload a malicious snap—a software package for Linux. The update appears legitimate to users and automated systems, creating a perfect trap.
The malware doesn't just sit there. It executes a multi-stage attack: first establishing persistence, then scanning for installed crypto wallets like MetaMask or Exodus. When it finds one, it replaces wallet addresses in the clipboard during transactions or exfiltrates seed phrases directly—sending digital assets straight to the attacker's control.
Why Linux Became a Target
For years, Linux enjoyed a reputation as a more secure alternative. That perception made it a softer target. Developers and crypto enthusiasts running Linux for its stability and control now represent a high-value demographic—tech-savvy users holding significant crypto assets, often with lower endpoint protection than corporate environments.
The response from Snap's maintainers came swiftly but revealed the challenge: they can remove malicious snaps quickly, but the account compromise vector remains. It's a game of whack-a-mole where the moles have direct deposit information for your savings.
Protecting Your Digital Gold
Security experts recommend manual verification of snap updates from critical software sources. Check publisher names before installing updates, especially for financial tools. Maintain offline storage for significant crypto holdings—because even the most secure operating system crumbles when the front door key gets stolen.
This attack underscores a brutal truth in decentralized finance: your technical prowess means nothing when the distribution channel gets poisoned. It's the digital equivalent of a bank robber buying the vault company—sometimes the system itself is the exploit. And in crypto, there's no FDIC insurance when the teller helps with the withdrawal.
Attackers Turn Legitimate Packages Malicious
Once inside, the attackers push malicious updates to packages that were previously benign, catching users off guard through automatic updates and long-established trust signals.
The Snap Store, like other major package repositories, has long been a target for malware campaigns.
Early efforts were relatively unsophisticated, with scammers publishing fake crypto wallet applications under newly created accounts.
When those attempts became easier to detect, attackers began disguising malicious apps using lookalike characters from other alphabets to evade filters.
According to Pope, the tactic then evolved into a bait-and-switch approach. Attackers WOULD publish harmless software under neutral names such as “lemon-throw” or “alpha-hub,” often posing as simple games. After approval and a period of inactivity, a follow-up update would quietly introduce a fake crypto wallet designed to steal funds.
The latest development raises the stakes. In at least two confirmed cases, attackers took control of expired domains once owned by legitimate Snap publishers and used them to distribute wallet-stealing malware through automatic updates.
A new Snap Store scam campaign abuses expired publisher domains to bypass trust signals and deliver malicious app updates.https://t.co/nWL9HGXACe#Linux #OpenSource
— Linuxiac (@linuxiac) January 19, 2026The affected applications appeared normal on the surface but were built to harvest wallet recovery phrases and transmit them to attacker-controlled servers.
By the time users noticed suspicious behavior, funds and sensitive data were already compromised.
Canonical has since removed the malicious snaps, but Pope warned that the response highlights deeper weaknesses in the platform’s trust model.
He said domain takeovers undermine publisher longevity as a safety signal and called for additional safeguards, including monitoring domain expirations, enforcing stronger account verification for dormant publishers, and requiring mandatory two-factor authentication.
Security Researcher Warns of Delayed Snap Store Takedowns
Pope also noted delays in removing reported malicious snaps, sometimes stretching over several days.
He advised users to exercise extra caution when installing cryptocurrency wallets on Linux and to consider downloading them directly from official project websites instead of app stores.
To help users assess risk, Pope created SnapScope, a web-based tool that flags snaps as suspicious or malicious before installation.
He also urged developers to keep domain registrations active and secure Snapcraft and email accounts with two-factor authentication.
According to Chainalysis, illicit cryptocurrency addresses received a record $154 billion in 2025, a sharp increase from the year before.
In another case, US prosecutors have charged a 23-year-old Brooklyn resident, Ronald Spektor, with stealing roughly $16 million in cryptocurrency from around 100 Coinbase users through an alleged phishing and social engineering scheme.
