Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / Cryptopolitan /
Snap Store Breach Exposes Linux Users’ Crypto Wallets in Sophisticated Attack

Snap Store Breach Exposes Linux Users’ Crypto Wallets in Sophisticated Attack

Author:
Cryptopolitan
Published:
2026-01-21 15:23:17
11
1

Hackers hijack Snap Store accounts to steal crypto from Linux users

Linux users—long considered the security-conscious elite—just got a harsh reminder that no platform is immune. A new attack vector has emerged, not through obscure command lines, but via the trusted Snap Store itself.

How the Hijack Unfolds

Attackers aren't brute-forcing passwords. They're compromising developer accounts on the Snap Store, the official app repository for Ubuntu and other distributions. Once inside, they swap legitimate software packages with malicious versions. The payload? A crypto wallet drainer that executes silently upon installation.

The Illusion of Safety Shattered

This isn't a case of users downloading from shady forums. The poisoned apps bear verified developer badges and sit in the official store. The attack exploits the very trust model that makes Linux secure, turning a strength into a critical vulnerability. It's a supply chain attack hitting the open-source world's front door.

Why Crypto Holders Are Prime Targets

The malware specifically scans for and exfiltrates wallet.dat files, seed phrases, and browser extension data. Linux users managing nodes, validators, or simply holding assets are the bullseye. The sophistication suggests a financially motivated, targeted operation, not random script-kiddie mischief.

Guarding Your Digital Gold

Immediate steps include auditing installed snaps, verifying checksums for critical financial tools, and moving cold storage keys entirely offline. This breach proves that 'hot' wallets on any connected system, regardless of OS, are part of the attack surface. Sometimes, the safest yield is the one you don't chase—a lesson traditional finance learned the hard way and crypto is learning in real-time.

The takeaway? In the high-stakes game of digital asset security, your operating system is no longer your castle wall. The moat has been drained, and the attackers are inside the keep, politely offering you a poisoned goblet from the royal cellar.

How does the Snap Store attack work?

23pds wrote, “Linux users beware: A new type of attack is raging in Snap Store — expired domains have been taken over by hackers and turned into backdoors to steal users’ crypto assets.

The tampered applications are disguised as well-known crypto wallets such as Exodus, Ledger Live, or Trust Wallet, tricking users into entering their ‘wallet recovery seed phrase,’ resulting in complete theft of funds.”

Once a target domain expires and becomes available for registration, the attackers immediately purchase it, then use the email address linked to that domain to trigger password resets on the Snap Store. This grants them complete control over long-established, trusted publisher identities without raising immediate suspicion.

At least two developer accounts have been confirmed as compromised using this method, with domains storewise.tech and vagueentertainment.com falling into the attackers’ hands.

The malicious actors, believed to be based in Croatia according to Alan Pope, a former Canonical developer and Ubuntu contributor, have been conducting campaigns against Snap Store users for approximately two years.

The domain takeover is the latest and most concerning evolution of the action of these bad actors, as it now means that “legitimate software installed and trusted by users for years could have malicious code injected by hackers through official update channels overnight.”

According to 23pds, “The tampered applications are usually disguised as well-known crypto wallets such as Exodus, Ledger Live, or Trust Wallet, with interfaces almost indistinguishable from the genuine versions.”

He stated, “After the app launches, it first connects to a remote server to verify the network, then immediately prompts the user to enter their ‘wallet recovery mnemonic phrase.’ Once the user submits it, these sensitive details are instantly transmitted to the attacker’s server, resulting in the theft of funds.”

Victims often discover that their funds have been stolen before noticing that anything is wrong because the attack exploits long-standing trust relationships.

What are major platforms doing to curtail domain resurrection attacks?

GitHub, PyPI, and npm have all experienced similar domain resurrection attacks. A 2022 academic study identified over 2,800 npm developer accounts configured with email addresses whose domains had subsequently expired, highlighting the scale of potential vulnerability.

In June 2025, the Python security team removed more than 1,800 expired email addresses from developer accounts, forcing developers to re-verify their credentials with active domains upon their next login. 

The problem stems from what security experts call internet or LINK rot, where developers moving between jobs or email providers fail to update account information across all platforms, creating exploitable security gaps.

Pope stated that Canonical needs to address the issue by implementing safeguards, which could be monitoring domain expiry on publisher accounts, requiring additional verification for dormant accounts, implementing mandatory two-factor authentication, or other measures.

Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2026 BTCC.com. All rights reserved

All articles reposted on this platform are sourced from public networks and are intended solely for the purpose of disseminating industry information. They do not represent any official stance of BTCC. All intellectual property rights belong to their original authors. If you believe any content infringes upon your rights or is suspected of copyright violation, please contact us at [email protected]. We will address the matter promptly and in accordance with applicable laws.BTCC makes no explicit or implied warranties regarding the accuracy, timeliness, or completeness of the republished information and assumes no direct or indirect liability for any consequences arising from reliance on such content. All materials are provided for industry research reference only and shall not be construed as investment, legal, or business advice. BTCC bears no legal responsibility for any actions taken based on the content provided herein.