Expired domains let attackers hijack Snap Store publishers to steal crypto

Security researchers are warning of a vulnerability in the Snap Store package distribution system that can let attackers reclaim expired email domains, seize publisher identities and distribute counterfeit cryptocurrency wallets to Linux users. The advisory, circulated on Jan. 21, 2026, describes a pattern of "domain resurrection" attacks that exploit the way publisher email addresses are bound to Snap Store accounts.

SlowMist Technology's chief information security officer, who posts under the handle 23pds, outlined how attackers monitor developer accounts tied to email domains that lapse, register those expired domains and then use the reclaimed addresses to trigger password resets on publisher accounts. With control of a long-standing publisher identity, an attacker can upload tampered snaps that pose as legitimate applications. Reported counterfeit wallets have mimicked well-known brands such as Exodus, Ledger Live and Trust Wallet, with user interfaces described as "nearly indistinguishable" from the authentic software. The intended goal is to capture mnemonic phrases, passwords and other credentials that enable theft of cryptocurrency holdings.

Security investigators say the Snap Store incidents are part of a broader pattern that has affected multiple package repositories. Over the past two years, attackers have combined domain resurrection with typosquatting and benign-appearing packages that later receive malicious updates. At least two Snap publisher accounts have been publicly identified as previously hijacked using this technique: storewise.tech and vagueentertainment.com. Researchers point to earlier academic work showing thousands of developer accounts on other registries were created with email domains that later expired, underscoring the feasibility of the method.

A related but distinct risk involves Ubuntu's command-not-found integration with the Snap Store. Researchers at Aqua Nautilus, part of Aquasec, found that when a user runs an unrecognized command, the system can recommend installing a snap package of that name. If an attacker has claimed the snap name, systems will suggest the malicious package as the fix. Aquasec's tests showed that roughly 26 percent of queried APT package commands had corresponding snap names available, leaving common tools such as jupyter-notebook open to name-squatting and potential compromise. Aquasec cautioned that it is unclear how extensively that specific vector has been exploited but urged immediate defensive measures.

Defensive recommendations focus on strengthening publisher account hygiene and repository controls. Suggested mitigations include tighter binding of publisher identities to verified, non-expiring contact methods, automated alerts for domain expiration tied to publisher accounts, mandatory multi-factor authentication for publisher actions and proactive reservation or monitoring of snap names that duplicate widely used APT commands. Repository owners and Linux distributors were urged to audit historical accounts and implement protections to prevent takeover via reclaimed domains.

Attribution of the campaigns remains tentative. Linux expert and former Canonical developer Alan Pope has suggested the group behind some Snap Store campaigns may operate from Croatia, but investigators emphasize that definitive attribution is unconfirmed. Researchers also note uncertainty about the total number of affected users and the scale of stolen funds.

The Snap Store findings arrive amid a steady flow of vendor patches for unrelated critical issues across the software ecosystem, highlighting persistent supply-chain and platform risks. Separate app-security incidents, including a Snapchat token reuse problem that left "security tokens" that did not expire and was reportedly addressed "as early as Friday," show how token management and identity controls remain recurring failure points in modern applications. The combined warnings underscore an urgent need for repository maintainers and developers to harden identity binding and update practices before attackers turn these weaknesses into broader fraud campaigns.