SlowMist warns Snap Store wallet updates steal seed phrases
Attackers have taken over trusted Linux Snap Store publisher accounts by re-registering expired domains, then pushed malicious updates that impersonate popular wallets such as Exodus, Ledger Live and Trust Wallet to steal users recovery seed phrases, according to blockchain security firm SlowMist.
Once a victim installs or updates the fake app, it prompts for a seed phrase that can be used to drain funds.
SlowMist’s chief information security officer, known as 23pds, said the campaign abuses the trust built up by long-running publisher accounts with established download histories and active users, allowing attackers to distribute malware through routine updates rather than relying on fresh installs.
The mechanics described by SlowMist start with monitoring Snap publisher accounts tied to domains that have lapsed. After a domain expires, an attacker can re-register it and use associated domain email addresses to reset Snap Store account credentials, giving them control over the publisher profile and its existing user base. SlowMist said two publisher domains – storewise[.]tech and vagueentertainment[.]com – were confirmed as compromised using this method, and apps tied to those accounts were then modified to mimic well-known crypto wallets.
The Snap Store is a distribution channel for Linux software packaged as “snaps,” and the attack relies on delivering the malicious code through what appears to be an official update path. SlowMist said the fraudulent wallet interfaces closely resemble legitimate software and are designed to convince users to enter recovery phrases after installation or updating.
The incident fits a broader pattern where attackers increasingly target distribution and infrastructure layers instead of smart-contract code. CertiK data cited in related security reporting put total crypto hack losses at $3.3 billion in 2025, with losses concentrated in fewer but larger supply-chain incidents; CertiK attributed $1.45 billion in losses to supply-chain attacks across two incidents.
For users, the immediate risk is entering a seed phrase into software that only appears to be a legitimate wallet. SlowMist’s description of the campaign suggests checking that the publisher behind a Snap package matches the expected developer, verifying the package origin before updating, and treating any prompt to input a recovery phrase as a red flag unless it is part of a wallet setup flow you initiated from a verified source.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
