We do often include affiliate links to earn us some pennies. See more here.

Not the first time this has happened, but recently the Snap store from Canonical hosted a scam bitcoin app that claimed to be "Exodus wallet" that caused a user to lose money.

Posting on the Snapcraft forum an unfortunate user noted their wallet has been emptied after using it, and a day later a Canonical staffer mentioned it had now been removed and they were investigating the incident.

Mark Shuttleworth, CEO of Canonical, has now jumped into the discussion in another forum post to note that while "cryptocurrency is largely a cesspit of ignoble intentions even if the mathematics are interesting", Shuttleworth doesn't think that "banning cryptocurrency apps helps" as "If anything, it would make using Linux much worse.".

Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.

Hopefully Canonical come up with a good solution, because repeating issues like this reflect pretty poorly on Snap, Canonical and Ubuntu.

Alan Pope (formerly of Canonical, now Axiom) wrote up two blog posts on it "Exodus Bitcoin Wallet: $490K Swindle" and the follow-up "Exodus Bitcoin Wallet: Follow up 2.0" that you may want to read for a little more background.

Article taken from GamingOnLinux.com.
Tags: Security, Misc, Ubuntu
12 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
19 comments

Szkodnix Feb 23
Oh no!

Anyway speaking of Flatpak...
Pengling Feb 23
Uhh, I usually don't have anything to say about these "issues with Snaps" things, but, well...

Additionally, Shuttleworth also opened an additional forum post to discuss requiring "more comprehensive proof of publisher identity for every publisher" for Snaps. So if you have good ideas for them to implement, to make Snap publishing more secure - drop a reply in the linked post.
... Shouldn't they have thought of this before letting randoms publish to a store?
ShabbyX Feb 23
Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.
sudoer Feb 23
$490K wow... please keep using Ubuntu and snaps, they are so perfect, also please help Shuttleworth in these tough times, after all snaps is a community project.
Crypto wallets and currencies aren't going anywhere. These things have to be dealt with not banned or blocked. They still need to be available. What Shuttleworth said makes perfect sense.

"I don’t however think that banning cryptocurrency apps helps. If anything, it would make using Linux much worse.

At least snaps have good, and over time increasingly good, mechanisms for technical confinement. Projects like Ubuntu and Debian and RHEL have relatively rigorous know-your-contributor processes, but apps can’t all be in the distro archives. The other Linux app distribution mechanisms (such as PPAs, Github builds and releases, OBS, or even the containerised ones like Flatpak) don’t have nearly the same technical measures for confinement that snaps do. If we ban cryptocurrency apps from the snap store then those users will simply get apps from those unconfined sources - and then the attacks will be even worse because the apps can go trawling all over the system, or do things like keylogging."

https://forum.snapcraft.io/t/should-unverified-cryptocurrency-apps-be-banned/38919/4

They are adding a high risk category to the store for starters. AI, crypto, fediverse... These newer are here to stay with their challenges and should nor could not be hidden away from. This has very little to do with snaps particularly but i'm sure many want to make it look like that. Things would have been the same with flatpak too.
Tuxee Feb 23
Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.

Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...
I'm not sure I understand the problem. Was this not the behaviour he was expecting? Is the problem that the crypto app stole his money instead of the exchange doing it?


Last edited by Purple Library Guy on 23 February 2024 at 4:56 pm UTC
M@GOid Feb 23
If Google and Apple, with all that power, cannot keep their stores clean all the time, how is that a surprise that a malicious app got into Canonical's app store?
MadWolf Feb 23
i know a way that can fix this problem but it may be easier said than done

1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code
F.Ultra Feb 23
View PC info
  • Supporter
i know a way that can fix this problem but it may be easier said than done

1. mark any snap that has been uploaded by any one that is not part of the project team or Canonical as unofficial
2. all unofficial apps need to be checked to make shore the snap dose not contain malicious code
3. all snaps need to be randomly checked to make shore the snap dose not contain malicious code

Well it is how to perform #2 and #3 that is the question, not that it should be done, but how. AFAIK they are closed source.
Ehvis Feb 23
View PC info
  • Supporter Plus
The one thing that this demonstrates is that some people seem to trust the snap store as a safe place where it should be treated with the same caution as if it was the open internet. Of course that still wouldn't help some people, but I most Linux users should be able to manage.
LoudTechie Feb 23
They're trying to do something that full blown governments struggle to do.
Trustworthy international financial services.

I only see 3 real solutions to this issue they could try.
1. Find 1+ less scammy open source projects providing crypto wallets and just make theirs the only ones on your store.
2. one build the wallet yourself and make it the only one on your store.
3. obtain the cd containing the program personally at the producer's house and inspect their id-cart.


3 is basically how it is done for every individual intra european banking customer, which also shows its weakness. This is the level the EU checks consumers not banks. Snap simply doesn't have the recources to do that for proprietary apps.


Last edited by LoudTechie on 23 February 2024 at 8:41 pm UTC
I'm not sure I understand the problem. Was this not the behaviour he was expecting? Is the problem that the crypto app stole his money instead of the exchange doing it?
I'm reading Tracers in the Dark at the moment. I'm up to the part where Mt. Gox lost 500,000 bitcoins (every single Bitcoin they were entrusted with), managed to find 200,000 from an old wallet, and the rest remains lost.

Cryptocurrency exchanges (huge ones) have fallen again and again over the years.

If you're going to hold a lot of cryptocurrency, you want to hold that in a private wallet... ironically, you might be better at protecting it yourself than these exchanges with so many resources.

And I wouldn't trust just any store. Get the wallet software directly from the developer.

This is something AppImage is best suited for, actually...
Boldos Feb 24
View PC info
  • Supporter
Oh no!

Anyway speaking of Flatpak...

I use mostly snaps and very few flatpaks because Snapcraft is way ahead of Flathub in terms of verified (mainstream-ish) apps. Unverified apps should always have a big fat warning sign.
Yep, this ^^^^!
Eike Feb 24
View PC info
  • Supporter Plus
Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.

Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...

I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Happy to say I finally switched to Debian last week, no more Canonical nonsense for me thank you very much.

Does Debian have a crypto wallet app in its core repositories? If no (and given that you need such one) - how would you evade a potential scam? The dude entered his 12-word super secret recovery key...

I don't know nothing about using crypto currencies, but I found these apps e.g.:
https://packages.debian.org/bookworm-backports/electrum
https://packages.debian.org/bookworm/monero
https://packages.debian.org/sid/dogecoin
Ah yes, Dogecoin. The most sensible of the crypto IMO. After all, it's perfectly reasonable for the ruler of Venice to be issuing coinage.

Spoiler, click me
On second thought, I should probably explain the obscure joke: Renaissance Venice was ruled by a sort of elected duke, called the doge. Useless facts for your entertainment and edification!


Last edited by Purple Library Guy on 24 February 2024 at 6:26 pm UTC
Milanium Feb 25
I published to the snap store. It is largely unmoderated. They have 100 something automated tests that check for formalities and if one of those fails, they tell you to fix it because they don't want to manually review your app and they also don't do it in a timely manner.
soulsource Feb 26
if you have good ideas for them to implement
They could have a dedicated maintainer for each package, who is responsible for building the package from source, and who is accountable in case the package contains malware. They could set up a system like this: https://wiki.debian.org/Maintainers

Oh, wait...
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register