The crypto industry faces a persistent and evolving threat from state-sponsored malware campaigns that bypass traditional security perimeters by exploiting professional trust. On May 28, 2026, Wiz researchers confirmed the discovery of JINX-0164, a previously undocumented threat cluster actively stealing private keys and seed phrases from 51 browser-based cryptocurrency wallet extensions and 26 desktop wallets through a sophisticated fake LinkedIn recruiter campaign. With Bitcoin trading near $73,200 and Ethereum below $2,000 amid a broader market selloff, the timing of this disclosure amplifies concerns about portfolio vulnerability during periods of heightened volatility.
The Exploit Mechanics
JINX-0164 deploys a malware payload called AUDIOFIX that masquerades as a macOS system audio driver (coreaudiod). The attack chain begins with a convincing LinkedIn recruiter profile that invites a target — typically someone working at a crypto exchange, DeFi protocol, or blockchain development firm — to a virtual business meeting on a spoofed domain. Confirmed spoofing domains include teams.live.us[.]org (impersonating Microsoft Teams), bitget-meeting[.]com (impersonating Bitget exchange), and live[.]ong.
During the call, a staged technical fault — a frozen screen, failed audio, or camera error — creates the pretext for the victim to download a troubleshooting script or driver update. This file is fetched from delivery domains such as apple.driver-store[.]com, apple.driver-update[.]io, and driver-updater[.]net. The malware is architecture-aware, running natively on both Intel and Apple Silicon Macs, which significantly broadens its attack surface across the macOS-using crypto workforce.
Once executed, AUDIOFIX conducts an automated credential sweep targeting 51 browser-based cryptocurrency wallet extensions and 26 desktop wallet applications. It harvests credential stores across seven browsers including Chrome, Firefox, Safari, Brave, Edge, and Chromium variants. Beyond wallet data, it exfiltrates SSH private keys, AWS and GCP authentication tokens, Discord tokens, Slack workspace data, Telegram directory contents, and clipboard history with timestamps.
Affected Systems
The scope of compromised systems extends far beyond individual wallets. In April 2026, JINX-0164 operators trojanized the @velora-dex/sdk npm package (version 4.9.1), injecting three lines of code into the package dist/index.js file that silently installed a Go-based backdoor called MiniRAT. This gave the threat actor a second persistent access channel into developer CI/CD pipelines with file upload, download, compression, and shell execution capabilities.
The campaign targets professionals at cryptocurrency exchanges, DeFi protocols, and blockchain development firms. Wiz researchers assess the behavioral patterns as consistent with North Korean financially motivated groups including BlueNoroff, Contagious Interview, and UNC1069, though JINX-0164 maintains distinct infrastructure without confirmed overlap. North Korean threat actors collectively stole $1.3 billion in cryptocurrency in 2024 according to Chainalysis, and the precision targeting of wallet credential stores reflects the same operational doctrine.
Stolen data is exfiltrated to command-and-control domains including datahub[.]ink, cloud-sync[.]online, and byte-io[.]us. AUDIOFIX also supports remote Python code execution, arbitrary shell commands, file deletion, and additional payload retrieval, effectively transforming an infected machine into a persistent remote access foothold.
The Mitigation Strategy
Organizations and individuals must adopt a multi-layered defense posture against JINX-0164 and similar social engineering campaigns. First, verify all recruiter contacts through secondary channels before accepting meeting invitations. Never download software or drivers prompted during a video call, regardless of how legitimate the error appears. Second, audit all npm dependencies for unexpected modifications — particularly packages that have recently changed maintainers or published rapid version updates. Third, deploy endpoint detection that monitors for processes masquerading as coreaudiod that are not signed by Apple. Fourth, use hardware wallets for significant holdings and never store seed phrases in digital format accessible to browser-based malware.
For teams running CI/CD pipelines, implement lockfiles and integrity checks on all third-party packages. The @velora-dex/sdk compromise demonstrates that supply chain attacks remain one of the most effective vectors for gaining access to developer infrastructure.
Lessons Learned
The JINX-0164 campaign reinforces several critical lessons for the crypto security community. The attack exploits no software vulnerabilities — it exploits professional trust and social norms around remote collaboration. As the crypto industry increasingly operates in distributed, remote-first environments, the attack surface for social engineering campaigns grows proportionally. The convergence of AI-generated deepfakes and increasingly convincing fake profiles will only amplify these threats in the coming months.
The trojanization of the @velora-dex/sdk package also underscores the fragility of the open-source software supply chain. A single compromised package can propagate backdoor access across dozens of downstream projects and their production environments.
User Action Required
If you work in cryptocurrency, DeFi, or crypto-adjacent software development and use macOS, take immediate action. Check your installed browser extensions for unrecognized wallet add-ons. Rotate credentials for any wallet that was accessible on a machine that may have been compromised. Audit your npm lockfiles for the @velora-dex/sdk package version 4.9.1. Enable two-factor authentication on all exchange accounts and consider migrating funds to hardware wallets until the full scope of JINX-0164 infections is understood. Report any suspicious LinkedIn recruiter contacts to your security team immediately.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for incident response.
51 browser extensions AND 26 desktop wallets. this thing was casting the widest net ive seen all year
The fake LinkedIn recruiter angle is exactly how Bybit got hit in February. When are crypto firms going to stop letting engineers use personal machines for anything work-related?
coreaudiod impersonation on macOS is nasty. most people would never check if that process is legit