For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
Instead of creating new accounts, attackers are now monitoring the Snap Store for publishers whose associated domain names have expired. Once a domain lapses, the attackers register it themselves, trigger a password reset on the Snap Store account tied to that domain, and gain control of an established publisher identity. From there, they can push malicious updates to snaps that users may have trusted and installed years earlier.
I don't do crypto but if you do, beware.