Critical Security Flaw Discovered: How Hackers Exploit Expired Domains to Steal Cryptocurrency Through Snap Store

On January 21, a significant security threat was uncovered affecting the Snap Store application marketplace for Linux systems. According to reports from SlowMist Technology’s Chief Information Security Officer, attackers have discovered a critical vulnerability that enables them to compromise cryptocurrency wallet applications and drain user assets. This hacker exploit represents a sophisticated attack chain targeting one of Linux’s most widely used software distribution channels.

How Attackers Exploited the Domain Expiration Vulnerability to Hijack Publisher Accounts

The attack methodology involves a multi-step process that takes advantage of domain registration lapses. Security researchers identified that hackers systematically monitored developer accounts on Snap Store whose associated domains had expired. Once an eligible target was identified, attackers registered the same domain names and used the email addresses tied to these registrations to initiate account password resets. By gaining control of the email associated with the expired domain, the attackers successfully took over publisher accounts that had established significant reputation histories on the platform.

The compromised publisher domains confirmed so far include storewise.tech and vagueentertainment.com. These accounts, now under attacker control, were subsequently used to distribute malicious applications.

Cryptocurrency Wallets Under Threat: The Malware Disguise Strategy

The hijacked publisher accounts were leveraged to distribute counterfeit versions of popular cryptocurrency wallet applications. The malicious applications impersonated well-known legitimate wallets including Exodus, Ledger Live, and Trust Wallet. The user interfaces were designed to be nearly identical to the original applications, making detection by casual users extremely difficult.

Once installed, these compromised applications employ a deceptive prompt that requests users to enter their “wallet recovery mnemonic phrase”—a highly sensitive piece of information that grants complete access to cryptocurrency holdings. When users unknowingly submit this recovery data, it gets transmitted directly to the attackers’ command servers. This results in immediate unauthorized access to victims’ digital assets and complete loss of funds.

Security Implications and Protective Measures

This incident highlights a critical security gap in how application marketplaces handle domain verification for publisher accounts. Security teams now recommend that developers maintain active domain registrations and implement additional authentication layers for account recovery processes. Users should verify wallet applications through official project websites and be cautious of any request for recovery phrases—legitimate wallet developers never ask for this information through their applications.

The broader hacker ecosystem has demonstrated increasing sophistication in targeting the cryptocurrency sector through supply chain compromises and domain-based social engineering attacks.