Hackers Exploiting Snap Store Security Flaw to Distribute Fake Wallet Apps

GasGuru · 2026-02-05T01:03:31+00:00

A security vulnerability in the Linux Snap Store allows attackers to exploit expired developer domains, injecting malicious code into trusted applications. This domain resurrection attack targets cryptocurrency users by repackaging legitimate wallet apps to steal sensitive data, especially recovery phrases. Users must exercise caution and verify applications before installation to protect against these threats.

GasGuru

2026-02-05 01:03:31

Abstract generation in progress

A significant security vulnerability has been uncovered in the Linux Snap Store ecosystem, where attackers are leveraging expired developer domains to inject malicious code into previously trusted applications. This sophisticated attack strategy, known as a domain resurrection attack, represents a growing threat to cryptocurrency users worldwide. By gaining control of outdated domains, threat actors are repackaging legitimate software to impersonate popular wallet applications, creating a particularly dangerous attack vector within the Snap marketplace.

How the Domain Resurrection Attack Works

The mechanics of this attack exploit a critical weakness in the Snap Store update mechanism. Hackers obtain expired developer domains and use them to push malicious updates to applications that were originally published under legitimate ownership. Once users download what appears to be authentic wallet software—such as Exodus, Ledger Live, or Trust Wallet—the compromised application requests access to sensitive user data. The primary target is cryptocurrency recovery phrases (mnemonic seeds), which, once obtained, provide attackers with complete access to victims’ digital assets. The Snap mechanism allows this injection to occur seamlessly, without triggering obvious security warnings that might alert users to the compromise.

Confirmed Compromised Domains and Affected Applications

Security researchers have identified at least two domains actively used in these attacks: storewise.tech and vagueentertainment.com. These hijacked domains were leveraged to distribute wallet impersonations within the Snap Store, targeting users seeking legitimate cryptocurrency management tools. The attack specifically focused on three high-profile wallet applications—Exodus, Ledger Live, and Trust Wallet—chosen for their widespread adoption and user trust. Each fraudulent variant was designed to closely mirror the original application’s interface while secretly harvesting recovery phrases and private keys.

Protecting Yourself Within the Snap Store Ecosystem

Users should exercise heightened caution when installing wallet applications through any package manager, including the Snap Store. Verification steps include checking the developer’s official website before installation, confirming the authenticity of the application publisher, and reviewing recent security announcements from recognized cryptocurrency security platforms. For those already using wallet applications via Snap Store, immediately reviewing recovery phrase access logs and considering recovery phrase rotation on any installed wallet applications represents a prudent security measure. The emergence of domain resurrection attacks highlights the importance of multi-layered security practices in the broader cryptocurrency ecosystem.

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.