- Trending
- Comments
- Latest
A cybercrime group has been targeting cryptocurrency developers through fake LinkedIn meeting invitations since at least mid-2025, deploying malware that steals credentials and infiltrates software development pipelines, according to cloud security firm Wiz.
The findings, published on May 27, reveal how JINX-0164 Hackers are expanding beyond wallet theft to target the infrastructure underpinning the broader cryptocurrency ecosystem.
The operation focuses on developers working in the crypto industry, particularly those using macOS devices. By posing as business contacts on LinkedIn and directing victims to counterfeit meeting platforms, JINX-0164 Hackers have been able to gain access to passwords, cloud tokens, GitHub accounts, and cryptocurrency wallet information.
According to Wiz, the campaign begins with professional-looking LinkedIn profiles that engage developers in seemingly legitimate business discussions. Once trust is established, victims are invited to what appears to be a video conference hosted on platforms resembling Microsoft Teams and other collaboration tools.
Instead of joining a meeting, users are prompted to install software purportedly required for the call. The download delivers AUDIOFIX, a custom malware strain specifically designed for macOS systems.
“According to Wiz, AUDIOFIX installs silently through a script hosted on a fake Apple-themed site.” — Wiz, Cloud Security Firm.
Researchers said the malware operates on both Intel-based and Apple Silicon devices. Once installed, it establishes persistence, disguises itself as an audio-related system component, and communicates with attacker-controlled servers through encrypted HTTPS channels.
The report found that JINX-0164 Hackers designed AUDIOFIX to evade quick detection while collecting sensitive information from infected systems. The malware reportedly extracts passwords stored in macOS Keychain, browser credentials, SSH keys, cloud access tokens, and cryptocurrency wallet data.
Wiz also noted that attackers directly phished for passwords and stored stolen credentials in encoded files, providing additional access to corporate and personal accounts.
The threat posed by JINX-0164 Hackers extends beyond individual devices. Researchers found that the group also targets development environments used by crypto firms to build and deploy software.
In one case documented in early 2026, attackers allegedly used stolen GitHub tokens to access CI/CD pipelines and extract sensitive secrets using an open-source tool known as nord-stream.
“Wiz said the attackers used stolen GitHub tokens to extract secrets from CI/CD pipelines.” — Wiz, Cloud Security Firm.
The group reportedly inserted AUDIOFIX into internal repositories and manipulated Git commit metadata to make malicious code appear as though it originated from trusted developers. This tactic enabled the attackers to push compromised code into active branches, increasing the likelihood that other developers would unknowingly download and execute infected software.
Researchers said JINX-0164 Hackers effectively turned trusted development workflows into attack vectors. GitHub’s Vigilant Mode reportedly detected suspicious activity in at least one incident after identifying commits that lacked verified GPG signatures despite appearing to come from legitimate contributors.
The findings highlight the growing risk facing crypto firms, where access to source code repositories can provide attackers with opportunities to compromise entire organizations rather than isolated users.
Beyond private repositories, JINX-0164 Hackers were also linked to a confirmed software supply chain attack involving a widely used public package.
According to Wiz, the group compromised version 4.9.1 of @velora-dex/sdk on April 7, 2026. The attackers allegedly inserted a malicious base64-encoded command designed to fetch and execute a remote script.
The script deployed MINIRAT, a lightweight backdoor written in Go that enables persistence and remote command execution on compromised machines.
Researchers found that AUDIOFIX and MINIRAT shared several command-and-control domains, including datahub[.]ink, cloud-sync[.]online, and byte-io[.]us. The attackers reportedly masked their activity using VPN services such as Mullvad VPN, Astrill VPN, and ExpressVPN.
Wiz observed similarities between JINX-0164 Hackers and threat groups associated with North Korea, including UNC1069 and Sapphire Sleet. However, the company emphasized that there was “no direct infrastructure overlap” and classified the actors as a separate financially motivated group.
“There was ‘no direct infrastructure overlap,’” — Wiz, Cloud Security Firm.
The campaign underscores how modern cybercriminal operations increasingly blend social engineering, malware deployment, credential theft, and supply chain compromise into a single attack strategy.
For crypto companies, the threat from JINX-0164 Hackers is particularly significant because developers often possess privileged access to wallets, cloud environments, repositories, and deployment systems. A single compromised account can create a pathway into critical infrastructure.
The incident also follows broader concerns about software supply chain security. Wiz referenced a separate attack in May that compromised more than 170 npm and PyPI packages, including the official Mistral AI Python library. That breach exposed GitHub tokens and cloud credentials belonging to developers across multiple industries.
Security experts are now urging organizations to audit CI/CD pipelines, investigate unverified Git commits, monitor unusual VPN activity, and review access controls for repositories and cloud services. Developers who interacted with suspicious LinkedIn contacts are also advised to scan their devices and rotate credentials immediately.
Source; Analytics Insights
Copyright © 2025 - The Bit Gazette.
