GAS: 0.0401 Gwei
Cryptocurrency, Security by Mark Zimmerman // Technical Writer

Linux Snap Store Compromised: ‘Zombie’ Domains Push Fake Crypto Wallets

Hackers are hijacking expired developer domains to push malicious updates to Exodus and Ledger users via the official Linux Snap Store.

The Attack Vector: Domain Resurrection

A sophisticated supply chain attack is currently active on the Linux Snap Store, targeting users of major self-custody wallets including Exodus, Ledger Live, and Trust Wallet. According to an alert issued by SlowMist CISO 23pds, attackers are executing "domain resurrection" exploits to hijack established publisher accounts and push malicious updates through official channels.

The mechanism is brutally simple yet effective: hackers identify Snap Store developers with expired domain registrations, re-register the domains (such as storewise.tech and vagueentertainment.com), and use the email control to reset the publisher’s Snap Store password. Once inside, they push a compromised version of the application to the "stable" channel. Because the Snap daemon (snapd) automatically updates installed packages by default, users receive the malware without any interaction.

The Receipt: Trusted Channels, Malicious Payloads

This is not a typical phishing link; it is a compromise of the update infrastructure itself. Former Canonical engineer and Linux researcher Alan Pope (popey) documented the severity of this vector, noting that one victim lost approximately $490,000 in Bitcoin to a fake Exodus wallet distributed via this method. The malicious updates typically function normally but inject a prompt requesting the user’s recovery seed phrase—data that is immediately exfiltrated to the attacker’s server.

"The domain takeover angle is particularly concerning because it undermines one of the few trust signals users had: publisher longevity.", Alan Pope

Institutional Context

This incident exposes a critical fragility in centralized package managers that rely on domain ownership as a proxy for identity. Unlike immutable blockchain deployments, Web2 distribution points like the Snap Store are susceptible to "rot", where a lapsed $10 domain registration can compromise thousands of users. For crypto participants running Linux, the presumption of safety in "official" repositories is currently a liability. Security researchers are advising users to disable auto-updates for sensitive applications or verify package signatures against the vendor’s direct release, rather than relying solely on the Snap Store’s convenience.

> ABOUT_THE_AUTHOR _

Mark Zimmerman

// Technical Writer

Hi, I'm Mark. My journey into the blockchain industry began on the investment side, where I worked as a developer in charge of DeFi operations for a digital asset-focused firm, eventually becoming a partner. I transitioned from the financial side of crypto to the deep technical trenches as a Solidity developer, a central limit order book built on the Avalanche blockchain. That hands-on experience building decentralized applications gave me a rigorous understanding of the challenges developers face when working with distributed ledger technology. Currently, I work as a Technical Writer at CoinWatchDaily, where I focus on bridging the gap between complex low-level code and accessible developer education.

VIEW_PROFILE >>

RELATED INTELLIGENCE

XRP Pierces $2.40 as Spot ETF Volume Hits Record $72M

DOJ Finalizes $400M Helix Seizure; Bitcoin Slips to $82K

Coinbase Pauses Argentina Fiat Rails; “Deliberate” Reversal 1 Year Post-Launch