Security researchers at Wiz.io have identified a financially motivated threat group called JINX-0164 that is using LinkedIn to impersonate recruiters and business contacts, luring cryptocurrency developers into downloading custom macOS malware capable of stealing wallets, credentials, and cloud access tokens.
Who Is JINX-0164?
JINX-0164 is a financially motivated threat actor that has been conducting targeted attacks against cryptocurrency organisations since at least mid-2025. The group is notable for combining multiple attack techniques into a coordinated operation: LinkedIn-based social engineering, custom macOS malware, cryptocurrency wallet theft, and supply chain sabotage through trojanised npm packages and manipulated Git commit metadata.
How the LinkedIn Social Engineering Works
The attack begins on LinkedIn, where JINX-0164 operates convincingly constructed profiles posing as recruiters or business partners. The group targets software developers at cryptocurrency companies specifically — typically reaching out with job offers, partnership proposals, or requests for technical collaboration.
Once rapport is established, the attacker sends the victim an invitation to a meeting via what appears to be a familiar conferencing platform link. The destination is a fake conferencing page designed to mimic Microsoft Teams or similar services. Clicking the meeting link triggers the download and execution of macOS-specific malware — all while appearing to the victim as a routine business meeting setup.
The use of LinkedIn is deliberate: it provides a veneer of professional legitimacy that email-based phishing cannot replicate. Developers are accustomed to receiving LinkedIn outreach from recruiters, making the initial contact feel entirely normal.
The Malware: AUDIOFIX and MINIRAT
JINX-0164 deploys two custom macOS malware tools, each serving a different function:
AUDIOFIX — Infostealer and Backdoor
AUDIOFIX is a compiled Python-based infostealer and backdoor. Once executed on the victim’s Mac, it harvests an extensive range of sensitive data:
- Browser-saved credentials and session cookies
- Cryptocurrency wallet extensions (targeting popular browser-based wallets)
- SSH private keys
- Cloud API tokens (AWS, GCP, Azure)
- Clipboard contents (critical for intercepting wallet addresses and seed phrases)
- Discord, Slack, and Telegram session data
All exfiltrated data is transmitted to the attacker’s command-and-control infrastructure over encrypted HTTPS using AES-256-CBC encryption, making the traffic blend in with normal web traffic and evade simple network monitoring.
MINIRAT — Persistent Backdoor
MINIRAT is a Go-based remote access tool providing persistent access to the compromised machine. Rather than broad data theft, it focuses on command execution, file access, and maintaining a long-term foothold. The combination of AUDIOFIX and MINIRAT means JINX-0164 can conduct immediate credential theft while retaining ongoing access for future operations.
Supply Chain Sabotage
Beyond direct device compromise, JINX-0164 escalates attacks through supply chain sabotage:
- Trojanised npm packages: The group has published malicious packages to the npm registry — the package repository used by JavaScript and Node.js developers — designed to infect any project that installs them
- Git commit manipulation: JINX-0164 tampers with commit metadata to impersonate legitimate developers, potentially inserting malicious code into repositories in a way that is attributed to trusted contributors
These supply chain techniques extend the attack’s reach beyond the directly targeted developers to any organisation or project that consumes the compromised packages.
Why Cryptocurrency Organisations Are Targeted
The financial motivation is clear: cryptocurrency organisations hold and transfer assets that can be stolen with no chargebacks or recovery mechanisms once transferred. A developer’s compromised machine may hold access to hot wallets, deployment keys for smart contracts, or administrative access to exchange infrastructure — all of which represent direct financial value to an attacker.
How to Defend Against JINX-0164 Tactics
- Treat unsolicited meeting links with scepticism — verify that conferencing links come from official domains before clicking, particularly when received via LinkedIn from new contacts
- Enable GitHub Vigilant Mode — this surfaces commits from unverified authors, helping detect developer impersonation in your repositories
- Audit dependencies and npm packages — review newly introduced packages for suspicious behaviour and use tools like Socket.dev or Snyk to scan for malicious packages before installation
- Monitor for VPN usage from known anonymisation services — JINX-0164 is known to use ExpressVPN, Astrill VPN, and Mullvad; unusual VPN traffic from development endpoints warrants investigation
- Deploy Endpoint Detection and Response (EDR) on macOS devices — many development teams default to macOS but leave it less protected than Windows endpoints
- Enable audit logging across cloud platforms and version control systems to detect unusual access patterns
- Rotate credentials and tokens for any developer whose machine may have been exposed to suspicious software
A Broader Warning About LinkedIn Social Engineering
JINX-0164’s methods are not unique — LinkedIn-based social engineering has become a consistent initial access technique for multiple threat groups, including North Korean state-sponsored actors. The professional context of LinkedIn lowers victims’ guard in a way that cold email phishing rarely achieves. Businesses should include LinkedIn-based social engineering scenarios in security awareness training, and developers in particular should be briefed on the risk of clicking links or downloading files received via professional networking platforms.
BIT Tech IT Solutions provides cybersecurity awareness training and endpoint security services. Contact our team to discuss how to protect your organisation.
