One click on fake Teams – and the entire development team suddenly works for hackers.
Hackers have found a new way to get to cryptocurrency companies: they get acquainted with developers on LinkedIn, invite you to a “business meeting”, and then slip the malware under the guise of fixing the sound problem. This is how the new group JINX-0164 works, which is monitored by Wiz specialists
According to Wiz CIRT and Wiz Research, JINX-0164 attacks developers and development infrastructure in cryptocurrency organizations at least since the middle of 2025. Attackers use convincing LinkedInLinkedIn profiles, fake video pages and malware for macOS. The main goal of the group, according to Wiz, is to steal cryptocurrency and access development systems.
In one of the cases investigated, the attack developed for about two weeks. At first, the attacker contacted the employee through LinkedIn and introduced himself as a potential business partner. The profile looked plausible: he had connections, a relevant history of work and a coincidence with the industry. After a short conversation, the victim was offered to call, and the link to the meeting was disguised as a legitimate video service, including Microsoft Teams.
After clicking on the link, the user downloaded and launched a malware for macOS. It spread through the command account script from the fake Apple.dreiver-store domain and pretended to be a system audio driver. Wiz names this program AUDIOFIX. It is written in Python, knows how to steal data and gives attackers remote access to an infected computer.
AUDIOFIX collected passwords, SSH keys, browser data, mcOS key keyword files, cloud services credentials, Cloudflare tokens, data from Discord, Slack and Telegram, as well as information about cryptocurrency wallets. The program also monitored the exchange buffer, where passwords, wallet addresses and other sensitive data are often found.
Having gained access to the developer’s computer, JINX-0164 did not actively develop the attack through cloud services. Instead, the attackers focused on repositories and internal development infrastructure. They put AUDIOFIX into the source code to infect other employees who updated the project and collected the program from an already compromised repository.
To mask, the group changed the name and address of the author of the commit, gave malicious changes for the work of other developers, sent the code directly to the main branch if the repository was not protected, or introduced the malicious load into existing branches. In one case, the distribution was stopped thanks to the Vigilant Mode mode in GitHub: suspicious commits received a note of unconfirmed signature, and audit logs linked the code to the originally infected device.
Wiz also links JINX-0164 to an attack on the supply chain. On 7 April 2026, the group introduced malicious code into version 4.9.1 of the @velora-dex/sdk package for npm. When connecting the package, the malicious insert tried to download the script that MINIRAT installed, a small remote access program on Go. The original code on GitHub did not change, so Wiz experts believe that the attackers got access to the NPm credentials.
MINIRAT collects basic information about the system, including the host name, username and external IP address, and then communicates with the control server. The program is able to execute commands, download and send files, but does not conduct automatic mass theft of data like AUDIOFIX.
The infrastructure of JINX-0164 has simulated Microsoft Teams, Slack, Airchall, driver updates pages and sites of cryptocurrency companies. The attackers registered similar domains, copied real pages, added localization and reference materials, and malware was placed only on individual pages. To mask network activity, the group used specialized services.
According to the JINX-0164 techniques, resembles some North Korean groups that also hunt for cryptocurrency companies and developers. However, Wiz did not find the coincidences of infrastructure with already known groups, and malware and individual techniques were implemented differently. Therefore, experts do not yet associate JINX-0164 with a specific state or sponsor.
For companies, the main conclusion from the investigation is simple: developers remain one of the most attractive targets for attacks on the cryptocurrency industry. One infected laptop can give attackers access not only to wallets and passwords, but also to assembly systems, repositories and spread channels of the code.
Hackers have found a new way to get to cryptocurrency companies: they get acquainted with developers on LinkedIn, invite you to a “business meeting”, and then slip the malware under the guise of fixing the sound problem. This is how the new group JINX-0164 works, which is monitored by Wiz specialists
According to Wiz CIRT and Wiz Research, JINX-0164 attacks developers and development infrastructure in cryptocurrency organizations at least since the middle of 2025. Attackers use convincing LinkedInLinkedIn profiles, fake video pages and malware for macOS. The main goal of the group, according to Wiz, is to steal cryptocurrency and access development systems.
In one of the cases investigated, the attack developed for about two weeks. At first, the attacker contacted the employee through LinkedIn and introduced himself as a potential business partner. The profile looked plausible: he had connections, a relevant history of work and a coincidence with the industry. After a short conversation, the victim was offered to call, and the link to the meeting was disguised as a legitimate video service, including Microsoft Teams.
After clicking on the link, the user downloaded and launched a malware for macOS. It spread through the command account script from the fake Apple.dreiver-store domain and pretended to be a system audio driver. Wiz names this program AUDIOFIX. It is written in Python, knows how to steal data and gives attackers remote access to an infected computer.
AUDIOFIX collected passwords, SSH keys, browser data, mcOS key keyword files, cloud services credentials, Cloudflare tokens, data from Discord, Slack and Telegram, as well as information about cryptocurrency wallets. The program also monitored the exchange buffer, where passwords, wallet addresses and other sensitive data are often found.
Having gained access to the developer’s computer, JINX-0164 did not actively develop the attack through cloud services. Instead, the attackers focused on repositories and internal development infrastructure. They put AUDIOFIX into the source code to infect other employees who updated the project and collected the program from an already compromised repository.
To mask, the group changed the name and address of the author of the commit, gave malicious changes for the work of other developers, sent the code directly to the main branch if the repository was not protected, or introduced the malicious load into existing branches. In one case, the distribution was stopped thanks to the Vigilant Mode mode in GitHub: suspicious commits received a note of unconfirmed signature, and audit logs linked the code to the originally infected device.
Wiz also links JINX-0164 to an attack on the supply chain. On 7 April 2026, the group introduced malicious code into version 4.9.1 of the @velora-dex/sdk package for npm. When connecting the package, the malicious insert tried to download the script that MINIRAT installed, a small remote access program on Go. The original code on GitHub did not change, so Wiz experts believe that the attackers got access to the NPm credentials.
MINIRAT collects basic information about the system, including the host name, username and external IP address, and then communicates with the control server. The program is able to execute commands, download and send files, but does not conduct automatic mass theft of data like AUDIOFIX.
The infrastructure of JINX-0164 has simulated Microsoft Teams, Slack, Airchall, driver updates pages and sites of cryptocurrency companies. The attackers registered similar domains, copied real pages, added localization and reference materials, and malware was placed only on individual pages. To mask network activity, the group used specialized services.
According to the JINX-0164 techniques, resembles some North Korean groups that also hunt for cryptocurrency companies and developers. However, Wiz did not find the coincidences of infrastructure with already known groups, and malware and individual techniques were implemented differently. Therefore, experts do not yet associate JINX-0164 with a specific state or sponsor.
For companies, the main conclusion from the investigation is simple: developers remain one of the most attractive targets for attacks on the cryptocurrency industry. One infected laptop can give attackers access not only to wallets and passwords, but also to assembly systems, repositories and spread channels of the code.
