Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Cryptocurrency hackers are using trusted Linux software to steal digital assets, using a new technique that turns legitimate Snap Store packages into malware.
Key points:
- Hackers are using Snap Store’s trusted bundles to steal cryptocurrencies by hacking existing publisher accounts
- This attack relies on expired domains and email addresses to push malicious updates.
- These incidents show weaknesses in the platform’s trust and security.
Instead of creating new accounts on the Snap Store, which is managed by Canonical, attackers are now taking over existing publisher accounts, according to the alert. From Alan Pope, Ubuntu contributor And a former developer at Canonical.
The method relies on identifying defunct domains and email addresses associated with former Snap Store developers, registering those domains, and then using restored access to hack Snapcraft accounts.
Attackers turn legitimate software into malicious software
Once inside, attackers push malicious updates to previously good packages, surprising users with automatic updates and trusted signals.
The Snap Store, like other major package stores, has been the target of a criminal campaign.
Early efforts were fraught, with hackers sending fake cryptocurrency wallets under newly created accounts.
As these attempts became easier to detect, attackers began to hide malicious software by using similar characters in other characters to evade filters.
According to Bob, this trick later evolved into a bait-and-switch. Attackers can send harmless programs with neutral names like “Lemon Thru” or “AlphaHub,” often masquerading as simple games. After approval and a period of inactivity, the next update silently shows a fake cryptocurrency wallet designed to steal money.
Recent developments make the situation even more difficult. In two confirmed cases, hackers targeted domains that had already expired and were legitimate Snap Store publishers and used them to distribute malware to steal users’ wallets using automated updates.
The affected software looked normal on the surface, but was designed to collect wallet recovery statements and send them to servers controlled by the attackers.
By the time users noticed suspicious behavior, money and personal information had already been compromised.
Canonical has since removed the malicious Snappacks, but Pope has warned that this solution shows deep weaknesses in the platform’s reliability.
He said domain confiscation is reducing publishers’ power as a security brand, and called for additional security measures, including monitoring domain expiration, verifying accounts for inactive publishers, and requiring two-factor authentication.
A security researcher warns of a potential shutdown of the Snap Store
Bob also noted that there was a delay in removing malicious Snap packets, sometimes lasting several days.
He advised users to be very careful when installing cryptocurrency wallets on Linux, and to consider downloading directly from the project’s official website instead of downloading software.
To help users assess risks, Bob created SnapScope, a web-based tool that automatically classifies packages as suspicious or malicious before they are installed.
He also encouraged driver developers to maintain domain registrations and secure Snapcraft and email accounts with two-factor authentication.
According to Chainalysis, banned cryptocurrency addresses will receive a record $154 billion in 2025, a significant increase compared to the previous year.
In another case, US prosecutors accused Ronald Spector, a 23-year-old Brooklyn resident, of stealing about $16 million in cryptocurrencies from about 100 Coinbase users through a phishing and social engineering scheme.
A note Hackers compromise Snap Store accounts to spread malware to steal digital currency on Linux appeared for the first time Cryptonews Arabic.
