Hackers Hijack Snap Store Accounts to Push Crypto-Stealing Malware on Linux

Cryptocurrency hackers are exploiting trusted Linux software to steal digital assets, using a new technique that turns legitimate Snap Store packages into malware.

Rather than creating fresh accounts on the Snap Store, which is operated by Canonical, attackers are now taking over existing publisher accounts, according to a warning from Ubuntu contributor and former Canonical developer Alan Pope.

The method relies on identifying expired web domains and email addresses linked to long-standing Snap Store developers, registering those domains, and then using the recovered access to hijack Snapcraft accounts.

Attackers Turn Legitimate Packages Malicious

Once inside, the attackers push malicious updates to packages that were previously benign, catching users off guard through automatic updates and long-established trust signals.

The Snap Store, like other major package repositories, has long been a target for malware campaigns.

Early efforts were relatively unsophisticated, with scammers publishing fake crypto wallet applications under newly created accounts.

When those attempts became easier to detect, attackers began disguising malicious apps using lookalike characters from other alphabets to evade filters.

According to Pope, the tactic then evolved into a bait-and-switch approach. Attackers would publish harmless software under neutral names such as “lemon-throw” or “alpha-hub,” often posing as simple games. After approval and a period of inactivity, a follow-up update would quietly introduce a fake crypto wallet designed to steal funds.

The latest development raises the stakes. In at least two confirmed cases, attackers took control of expired domains once owned by legitimate Snap publishers and used them to distribute wallet-stealing malware through automatic updates.

A new Snap Store scam campaign abuses expired publisher domains to bypass trust signals and deliver malicious app updates.https://t.co/nWL9HGXACe#Linux #OpenSource

— Linuxiac (@linuxiac) January 19, 2026

The affected applications appeared normal on the surface but were built to harvest wallet recovery phrases and transmit them to attacker-controlled servers.

By the time users noticed suspicious behavior, funds and sensitive data were already compromised.

Canonical has since removed the malicious snaps, but Pope warned that the response highlights deeper weaknesses in the platform’s trust model.

He said domain takeovers undermine publisher longevity as a safety signal and called for additional safeguards, including monitoring domain expirations, enforcing stronger account verification for dormant publishers, and requiring mandatory two-factor authentication.

Security Researcher Warns of Delayed Snap Store Takedowns

Pope also noted delays in removing reported malicious snaps, sometimes stretching over several days.

He advised users to exercise extra caution when installing cryptocurrency wallets on Linux and to consider downloading them directly from official project websites instead of app stores.

To help users assess risk, Pope created SnapScope, a web-based tool that flags snaps as suspicious or malicious before installation.

He also urged developers to keep domain registrations active and secure Snapcraft and email accounts with two-factor authentication.

According to Chainalysis, illicit cryptocurrency addresses received a record $154 billion in 2025, a sharp increase from the year before.

In another case, US prosecutors have charged a 23-year-old Brooklyn resident, Ronald Spektor, with stealing roughly $16 million in cryptocurrency from around 100 Coinbase users through an alleged phishing and social engineering scheme.