Crypto Journalist
Amin Ayan
Crypto Journalist
Share
Cryptocurrency hackers are exploiting trusted Linux software to steal digital assets, using a new technique that turns legitimate Snap Store packages into malware.
Key Takeaways:
- Hackers are exploiting trusted Snap Store packages to steal cryptocurrency by hijacking existing publisher accounts.
- The attacks rely on expired domains and email addresses to push malicious updates.
- The incidents reveal weaknesses in the platform’s trust and security model.
Rather than creating fresh accounts on the Snap Store, which is operated by Canonical, attackers are now taking over existing publisher accounts, according to a warning from Ubuntu contributor and former Canonical developer Alan Pope.
The method relies on identifying expired web domains and email addresses linked to long-standing Snap Store developers, registering those domains, and then using the recovered access to hijack Snapcraft accounts.
Attackers Turn Legitimate Packages Malicious
Once inside, the attackers push malicious updates to packages that were previously benign, catching users off guard through automatic updates and long-established trust signals.
The Snap Store, like other major package repositories, has long been a target for malware campaigns.
Early efforts were relatively unsophisticated, with scammers publishing fake crypto wallet applications under newly created accounts.
When those attempts became easier to detect, attackers began disguising malicious apps using lookalike characters from other alphabets to evade filters.
According to Pope, the tactic then evolved into a bait-and-switch approach. Attackers would publish harmless software under neutral names such as “lemon-throw” or “alpha-hub,” often posing as simple games. After approval and a period of inactivity, a follow-up update would quietly introduce a fake crypto wallet designed to steal funds.
The latest development raises the stakes. In at least two confirmed cases, attackers took control of expired domains once owned by legitimate Snap publishers and used them to distribute wallet-stealing malware through automatic updates.
The affected applications appeared normal on the surface but were built to harvest wallet recovery phrases and transmit them to attacker-controlled servers.
By the time users noticed suspicious behavior, funds and sensitive data were already compromised.
Canonical has since removed the malicious snaps, but Pope warned that the response highlights deeper weaknesses in the platform’s trust model.
He said domain takeovers undermine publisher longevity as a safety signal and called for additional safeguards, including monitoring domain expirations, enforcing stronger account verification for dormant publishers, and requiring mandatory two-factor authentication.
Security Researcher Warns of Delayed Snap Store Takedowns
Pope also noted delays in removing reported malicious snaps, sometimes stretching over several days.
He advised users to exercise extra caution when installing cryptocurrency wallets on Linux and to consider downloading them directly from official project websites instead of app stores.
To help users assess risk, Pope created SnapScope, a web-based tool that flags snaps as suspicious or malicious before installation.
He also urged developers to keep domain registrations active and secure Snapcraft and email accounts with two-factor authentication.
According to Chainalysis, illicit cryptocurrency addresses received a record $154 billion in 2025, a sharp increase from the year before.
In another case, US prosecutors have charged a 23-year-old Brooklyn resident, Ronald Spektor, with stealing roughly $16 million in cryptocurrency from around 100 Coinbase users through an alleged phishing and social engineering scheme.
