Linux users should be aware of a new type of attack on the Snap Store, where hackers can take over developers' identities to trick users into submitting their seed phrase.

BlockBeats News, January 21st, SlowMist CISO 23pds posted on social media that Linux users need to be aware of a new attack in the Snap Store. A hijacked domain name is used as a backdoor to steal users' encrypted assets. Tampered apps masquerade as well-known crypto wallets like Exodus, Ledger Live, or Trust Wallet, tricking users into entering their "wallet recovery seed phrase," leading to fund theft.

It is reported that the attackers have now shifted to monitoring developer accounts in the Snap Store with expired associated domains. Once a target domain is found to be expired, the attacker promptly registers it, then uses the domain's email to initiate a password reset on the Snap Store, thus taking over the identity of a long-established trusted publisher.

23pds explained that this means software that users installed and trusted for years may overnight be compromised by hackers injecting malicious code through the official update channel. It has been confirmed that two publisher domains, storewise[.]tech and vagueentertainment[.]com, have been hijacked using this method. The tampered apps usually pretend to be reputable crypto wallets like Exodus, Ledger Live, or Trust Wallet, with interfaces almost indistinguishable from the genuine ones.

Upon app launch, it will first connect to a remote server for network verification, then lure users into entering their "wallet recovery seed phrase." Once users submit this sensitive information, it is immediately sent to the attacker's server, resulting in fund theft. Due to exploiting the existing trust relationship, such attacks often succeed before the victims realize.