JINX-0164

Summary

JINX-0164 is a financially motivated threat actor tracked by Wiz in 2026 reporting on cryptocurrency-sector intrusions. Wiz assesses the cluster has been active since at least mid-2025 and targets cryptocurrency organizations and developers through recruiter or business-partner social engineering, fake meeting / driver-fix pages, custom macOS malware, credential theft, and abuse of development infrastructure.

Wiz notes that JINX-0164 shares broad targeting and tactic similarities with North Korea-linked cryptocurrency developer targeting, but the public evidence does not yet support attribution to a sponsor. Treat JINX-0164 as a distinct financially motivated cluster unless future public reporting links it more firmly.

Tags

• actors
• groups
• JINX-0164
• cybercrime
• financial theft
• cryptocurrency
• DeFi
• developer-targeting
• LinkedIn
• social engineering
• macOS
• CI/CD
• supply-chain
• npm
• credential-theft
• AUDIOFIX
• MINIRAT

Primary motivation

• Cryptocurrency theft from individuals and organizations.
• Access to developer workstations, source repositories, package-publishing accounts, cloud environments, and CI/CD secrets that can support later theft or supply-chain compromise.
• Propagation through trusted internal code distribution paths after an endpoint foothold is obtained.

Core tradecraft

Social engineering

• LinkedIn approaches using recruiter, business-partner, or cryptocurrency-industry personas.
• Fake virtual-meeting pages or fake troubleshooting flows that imitate Microsoft Teams, Slack, Aircall, cryptocurrency companies, or driver-update/help portals.
• ClickFix-style instructions that convince macOS users to run a shell command or installer presented as an audio/meeting fix.

Malware and endpoint collection

• AUDIOFIX: Python-based macOS infostealer/RAT delivered through fake meeting or driver-fix flows; reported collection includes Keychain material, browser credentials, local admin credentials, SSH keys, cloud and package-management credentials, configuration files, console history, cryptocurrency wallet information, and communication-app sessions.
• MINIRAT: lightweight Go backdoor distributed through the @velora-dex/sdk npm supply-chain operation and later variants; supports host registration, file upload/download, and command execution.
• Architecture-aware macOS payload delivery for Intel and Apple Silicon systems, with persistence via launchctl and masquerading as audio or Chrome updater components.

Development-infrastructure abuse

• Stolen GitHub tokens and endpoint credentials used to reach source repositories and internal code distribution systems.
• Malicious commits pushed directly to main where possible, or inserted into existing branches when direct main access was blocked.
• Commit metadata manipulation to impersonate other developers; Wiz reported that GitHub Vigilant Mode and audit-log correlation helped expose mismatched commit authorship and compromised endpoint activity.
• Public package compromise: Wiz attributes the April 2026 trojanized @velora-dex/sdk@4.9.1 npm package to JINX-0164.

Attribution notes

Wiz describes JINX-0164 as a previously unreported, financially motivated actor. The cluster overlaps thematically with North Korea-linked cryptocurrency developer targeting but differs in implementation details, malware language choices, dropper structure, cryptography libraries, exfiltration paths, and currently known infrastructure. Keep attribution caveated.

Associated operations

• JINX-0164 crypto developer infrastructure campaign

Defender signals

• LinkedIn outreach that quickly moves to a fake meeting, audio-fix, or driver-update page.
• macOS shell commands that pull troubleshooting scripts from fake driver or meeting-help domains.
• Unexpected launchctl submissions or persistence for updater/audio-driver-like binaries such as ChromeUpdater or coreaudiod outside normal locations.
• DNS, proxy, and endpoint telemetry for JINX-0164 domains and C2s reported by Wiz, including datahub.ink, cloud-sync.online, and byte-io.us where applicable.
• GitHub pushes from developer endpoints or VPN egress points inconsistent with normal developer behavior, especially unverified commits with mismatched authorship.
• Repository changes that add Python RAT payloads, shell downloaders, or build/install hooks to internal projects.
• npm/package publishing events from cryptocurrency or DeFi SDK maintainers that differ from normal release automation.

Sources

• Wiz: https://www.wiz.io/blog/threat-actors-target-crypto-orgs
• StepSecurity Velora DEX SDK coverage: https://www.stepsecurity.io/blog/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-launchctl-persistence
• iru MINIRAT coverage: https://www.iru.com/blog/minirat