JINX-0164 Targets Crypto Developers via LinkedIn and macOS Malware

A financially motivated threat actor tracked as JINX-0164 has been running a targeted campaign against cryptocurrency organizations since mid-2025, using recruitment-themed social engineering on LinkedIn to deploy custom macOS malware. Wiz security researchers published detailed analysis of the campaign after tracking intrusions across multiple cryptocurrency firms.

The group combines sophisticated social engineering with custom-built malware and supply chain attacks, showing a level of operational maturity that suggests well-resourced criminal operators rather than opportunistic attackers.

Attack Chain

JINX-0164's campaigns begin with convincingly crafted LinkedIn profiles reaching out to developers and engineers at cryptocurrency companies. The lure typically involves a lucrative job opportunity or business partnership.

Once trust is established through messaging, victims receive invitations to video calls hosted on fake conferencing platforms designed to mimic Microsoft Teams or similar services. These fake platforms prompt visitors to download what appears to be a video conferencing client—actually the AUDIOFIX malware.

The social engineering demonstrates familiarity with phishing and impersonation tactics tailored specifically for the tech industry, where cold outreach from recruiters is normalized.

AUDIOFIX Malware Capabilities

AUDIOFIX is a Python-based infostealer and backdoor engineered specifically for macOS environments. Its capabilities include:

• Credential harvesting: Extracts stored browser credentials, SSH keys, and Keychain contents
• Cryptocurrency wallet theft: Targets 51 browser extensions for crypto wallets
• Cloud credential theft: Harvests AWS, GCP, and Azure API keys
• Clipboard monitoring: Captures cryptocurrency addresses in real-time
• Persistence mechanisms: Establishes foothold for long-term access

The malware communicates with command-and-control infrastructure over encrypted HTTPS using AES-256-CBC encryption. It dynamically adjusts polling intervals to evade detection—a technique that suggests the operators have experience evading enterprise security tools.

Supply Chain Escalation

On April 7, 2026, JINX-0164 escalated beyond direct targeting by compromising the npm software supply chain. The group quietly modified version 4.9.1 of @velora-dex/sdk, a cryptocurrency SDK with significant adoption.

The compromised package contained code that would download and execute a shell script whenever imported by any project. That script delivered MINIRAT, a lightweight Go-based backdoor providing persistent access to developer workstations.

This mirrors the Red Hat npm compromise and earlier supply chain attacks against financial sector developers.

MINIRAT Technical Details

MINIRAT provides basic remote access capabilities:

• Command execution on compromised systems
• File upload and download
• Process management
• Screenshot capture
• Network reconnaissance

Its small footprint (under 500KB) and use of legitimate cloud services for C2 make detection challenging. The malware uses domain fronting techniques to hide communications within normal HTTPS traffic.

Attribution and Motivation

Wiz assesses JINX-0164 as financially motivated based on their exclusive targeting of cryptocurrency organizations and focus on wallet theft. The group's operational patterns suggest Eastern European origins, though definitive attribution remains difficult.

The combination of social engineering expertise and technical sophistication—including both macOS malware development and supply chain compromise capabilities—indicates a well-organized criminal operation.

Defensive Recommendations

Organizations in the cryptocurrency sector should implement these defenses:

1. Verify recruiters independently before downloading any files or joining calls
2. Audit npm dependencies for @velora-dex/sdk and similar packages
3. Deploy macOS endpoint detection capable of identifying AUDIOFIX indicators
4. Implement code signing requirements for all developer tools
5. Monitor for unusual outbound connections from developer workstations

Why This Matters

JINX-0164 represents a maturing threat to the cryptocurrency ecosystem. Their progression from social engineering to supply chain attacks shows strategic thinking about attack surface expansion.

For cryptocurrency firms, this means treating developer security as a top priority. For details on broader threat intelligence trends, check PortSix for IP enrichment on suspicious indicators. The intersection of social engineering, malware, and supply chain compromise creates a multi-vector threat that requires defense across multiple domains.