Snaps are compressed, cryptographically signed, revertable software packages for Linux desktops, servers, and embedded devices.
A sophisticated campaign targeting Canonical’s Snap Store has escalated dramatically, with threat actors shifting from publishing malware under new accounts to hijacking established publishers through expired domain takeovers.
This represents a fundamental erosion of trust signals that Linux users previously relied upon when installing snap packages.
Scammers have discovered a critical weakness in account recovery mechanisms: they systematically identify snaps published years ago by developers whose email domains have expired.
When a publisher’s domain registration lapses such as storewise. tech or vagueentertainment.com attackers swoop in to register these domains and exploit Snap Store password reset functionality.
With domain control established, they trigger account takeovers without triggering “New Publisher” warnings or elevated scrutiny that normally flag suspicious accounts.
The impact is profound. Previously trustworthy snaps with years of installation history suddenly push malicious updates containing cryptocurrency wallet stealers, creating a vector that appears legitimate to users relying on publisher longevity as a trust indicator.
The Malware Infrastructure
Analysis reveals perpetrators likely operating from or near Croatia are deploying fake cryptocurrency wallet applications primarily masquerading as Exodus, Ledger Live, and Trust Wallet.
These applications perform a predictable attack sequence: requesting users enter wallet recovery phrases, exfiltrating credentials to attacker infrastructure via Telegram integration, displaying false errors, and emptying wallets before users detect the compromise.
Technical investigation of command-and-control infrastructure uncovered revealing operational security failures.
My original intention was to create a web app that generates an SBOM (Software Bill of Materials) for each snap using Syft, then produces a vulnerability report using Grype.
The backend connectivity test initially exposed JSON responses containing Telegram bot identifiers and usernames (notably “pandadrainerbot” and user “@ikaikaika101”), though scammers subsequently removed these identifiers after exposure.
The C2 URL pattern queries connectivity before requesting sensitive data, ensuring exfiltration infrastructure remains operational before harvesting credentials.
The threat actors have progressively refined obfuscation methods. Initial attempts relied on authentic-looking application interfaces.
Subsequent iterations employed visual homoglyph attacks substituting Latin characters with lookalikes from other alphabets (Armenian Zhe “ժ” for “d”, Cyrillic Palochka “ӏ” for “L”).
Most recently, attackers adopted bait-and-switch approaches: registering innocuous snap names like “lemon-throw” or “alpha-hub”, publishing benign applications for approval, then pushing malicious revisions containing wallet stealers after gaining trust.
Mitigations
The Snap Store security model relies on community reporting, creating delays between malware publication and removal.
Publishers must maintain active domain registrations and enable two-factor authentication. Canonical should implement domain expiry monitoring for publisher accounts, enforce mandatory 2FA account for dormant accounts, and require additional verification before account recovery from lapsed domains.
Users may encounter, install, and be compromised by malicious applications before any intervention occurs. With over 7,000 publicly published snaps and minimal publication barriers, the attack surface remains expansive.
Users should avoid cryptocurrency wallet applications from any app store, instead downloading directly from official project websites. The gap between publication and detection remains too narrow for safe installation from untrusted sources.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.