51
cryptocurrency wallet browser extensions that AUDIOFIX automatically exfiltrates on first execution
26
desktop cryptocurrency wallet applications targeted for private key and seed phrase theft by AUDIOFIX
$1.3B
in cryptocurrency stolen by North Korean threat groups in 2024 per Chainalysis blockchain tracking
April 7
@velora-dex/sdk npm v4.9.1 trojanized by JINX-0164 to silently install MiniRAT on developer systems

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

JINX-0164 cryptocurrency malware is actively stealing private keys and seed phrases from 51 browser-based cryptocurrency wallet extensions and 26 desktop wallets, targeting professionals inside crypto exchanges, DeFi protocols, and blockchain development firms through a fake LinkedIn recruiter campaign confirmed by Wiz researchers on May 28, 2026. The threat actor, active since at least mid-2025, has conducted multiple intrusions and in April 2026 trojanized the @velora-dex/sdk npm package to distribute its MiniRAT backdoor directly into developer CI/CD pipelines.

JINX-0164 is a previously undocumented threat cluster with infrastructure and behavioral patterns that Wiz researchers assess as consistent with North Korean financially motivated groups including BlueNoroff, Contagious Interview, and UNC1069, though JINX-0164 maintains distinct infrastructure without confirmed overlap. North Korean threat actors collectively stole $1.3 billion in cryptocurrency in 2024 according to Chainalysis, and JINX-0164's precision targeting of wallet credential stores reflects that same operational doctrine.

The attack chain exploits no software vulnerabilities. It exploits professional trust. A convincing LinkedIn recruiter profile invites a target to a virtual business meeting. The meeting domain impersonates a legitimate teleconference service. A staged technical error during the call prompts the victim to download a "fix", which installs AUDIOFIX or MiniRAT. If you work in cryptocurrency, DeFi, or crypto-adjacent software development and you use macOS, JINX-0164 is actively targeting your credentials and wallet keys today.

How Does JINX-0164 Cryptocurrency Malware Work?

JINX-0164 cryptocurrency malware executes in four phases: recruitment lure, technical deception, malware delivery, and automated credential exfiltration.

Phase 1: LinkedIn recruitment lure. Operators build credible LinkedIn profiles posing as business contacts, investors, or talent recruiters within the cryptocurrency industry. They contact targets at crypto exchanges, DeFi protocols, and blockchain development companies with job opportunities or meeting invitations. The approach leverages industry-standard outreach that security-conscious professionals routinely accept.

Phase 2: Spoofed meeting domain. The invitation directs the target to a virtual meeting on an operator-controlled domain that impersonates a legitimate teleconference provider. Confirmed spoofing domains include teams.live.us[.]org (Microsoft Teams), bitget-meeting[.]com (Bitget exchange), and live[.]ong. During the meeting, a staged technical fault, a frozen screen, failed audio, camera error, creates the pretext for the next phase.

Phase 3: Malware delivery disguised as a fix. The victim is prompted to download and run a troubleshooting script or driver update. AUDIOFIX masquerades as a system audio driver (coreaudiod) and is architecture-aware, running natively on both Intel and Apple Silicon Macs. The payload is fetched from delivery domains including apple.driver-store[.]com (resolving to 89.36.224.5), apple.driver-update[.]io, and driver-updater[.]net.

Phase 4: Automated credential exfiltration. On first execution, AUDIOFIX conducts a complete credential sweep: it targets 51 browser-based cryptocurrency wallet extensions, 26 desktop wallet applications, credential stores across 7 browsers (Chrome, Firefox, Safari, Brave, Edge, Chromium variants), SSH private keys, AWS and GCP authentication tokens, Discord tokens, Slack workspace data, Telegram directory contents, and clipboard history with timestamps. Stolen data is exfiltrated to C2 domains datahub[.]ink, cloud-sync[.]online, and byte-io[.]us. AUDIOFIX also supports remote Python code execution, arbitrary shell commands, file deletion, and additional payload retrieval, transforming the infected machine into a persistent remote access foothold.

For developers who imported @velora-dex/sdk version 4.9.1, MiniRAT was silently installed via three lines appended to the package's dist/index.js file. MiniRAT provides a separate Go-based backdoor channel with file upload, download, compression, and shell execution capabilities, giving JINX-0164 a second persistent access path into any environment that builds with the compromised package.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Active Targeting: Which Sectors and Roles Are at Risk?

JINX-0164 targets cryptocurrency organizations and the developers who build their infrastructure. Wiz confirmed multiple intrusions across cryptocurrency exchanges, DeFi protocol teams, and blockchain tooling companies. The April 7, 2026 supply chain attack on @velora-dex/sdk, a decentralized exchange SDK used by DeFi developers, demonstrates the group's intent to compromise not just individual employees but entire development pipelines and downstream users.

The role-specific targeting profile follows a consistent pattern across confirmed intrusions. JINX-0164 operators prioritize employees with access to cryptocurrency custody infrastructure: wallet administrators, blockchain engineers, protocol developers, and treasury managers. These roles hold private keys, seed phrases, and cloud authentication tokens that translate directly into financial theft at scale. A single successfully compromised wallet administrator at a cryptocurrency exchange can expose hundreds of millions of dollars in custodied assets.

The supply chain dimension extends the risk beyond direct targets. Developers who installed @velora-dex/sdk version 4.9.1 between April 7 and late April 2026 ran MiniRAT in their local build environments. Any CI/CD system that automatically resolved and installed this package, a standard practice in npm-based development workflows, received the backdoor without any user interaction. Source code modifications from MiniRAT's shell execution capability create potential for downstream software supply chain compromise affecting the users of any application built in that environment.

North Korean threat actors have established a proven playbook for cryptocurrency theft at this scale. The Bybit exchange heist of February 2025, attributed to North Korean Lazarus Group and resulting in $1.5 billion in losses, used similar social engineering vectors targeting developers with access to custody infrastructure. JINX-0164's focus on developer CI/CD environments through the Megalodon-style GitHub supply chain compromise pattern signals an escalation of this approach into the package ecosystem itself.

The broader developer credential theft risk is documented across multiple campaigns this year. The TanStack supply chain attack that exposed developer credentials on the dark web illustrates how compromised npm packages create persistent credential exposure long after the initial attack window closes, credentials stolen from developer CI/CD environments recirculate on dark web markets for months.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

JINX-0164 TTPs Mapped to MITRE ATT&CK

Wiz's analysis of JINX-0164 maps the campaign to seven MITRE ATT&CK techniques across the initial access, execution, and collection phases.

T1566.004, Spearphishing via Voice / Social Engineering: LinkedIn recruiter impersonation and spoofed meeting invitations represent a hybrid social engineering lure combining professional deception with technical failure theater. The campaign exploits the normalized practice of accepting LinkedIn connection requests and video meeting invitations in the cryptocurrency industry. (MITRE ATT&CK)

T1204.002, User Execution: Malicious File: AUDIOFIX and MiniRAT require user action to execute, the victim downloads and runs what they believe is a driver fix or troubleshooting script. The malware's coreaudiod naming and driver-store domain naming are designed to defeat casual inspection.

T1195.002, Supply Chain Compromise: Compromise Software Supply Chain: The @velora-dex/sdk npm supply chain attack on April 7 required no user interaction for developers whose CI/CD pipelines automatically resolved the package. This technique requires attackers to first compromise the package maintainer's npm account or registry access.

T1552.001, Unsecured Credentials: Credentials In Files: AUDIOFIX specifically sweeps for SSH private key files, AWS credential files (.aws/credentials), and GCP service account tokens in standard filesystem locations. These credentials provide lateral movement beyond the initial workstation.

T1539, Steal Web Session Cookie: AUDIOFIX extracts browser session cookies and authentication tokens, enabling account takeover of exchange accounts, developer portals, and cloud infrastructure without triggering MFA challenges.

T1555.003, Credentials from Password Stores: Credentials from Web Browsers: The malware systematically extracts saved passwords and stored credentials from all major browsers present on the infected system, prioritizing cryptocurrency-related sites and exchanges.

T1041, Exfiltration Over C2 Channel: All stolen credential packages are transmitted to the three C2 domains (datahub[.]ink, cloud-sync[.]online, byte-io[.]us) over encrypted HTTPS. Operators use ExpressVPN, Mullvad VPN, and Astrill VPN to mask cloud activity during the post-compromise access phase.

JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups, but its behavioral targeting patterns and financial motivation are fully consistent with the North Korean cryptocurrency theft playbook established since 2017.

Wiz Threat Research, May 28, 2026

How to Detect AUDIOFIX and MiniRAT on macOS

Detection of JINX-0164 cryptocurrency malware requires checks across process execution, file system, network activity, and package integrity.

Process and file system checks. Search for processes named coreaudiod running from non-standard locations outside of /usr/sbin/ or /System/Library/. Legitimate macOS coreaudiod lives at /usr/sbin/coreaudiod. Any coreaudiod binary in a user directory, /tmp, /var, or application support folder is anomalous. Run the command: sudo find / -name "coreaudiod" -not -path "/usr/sbin/coreaudiod" 2>/dev/null. Check for unexpected Python processes spawning from audio-related binary names.

Network indicators. Block and alert on outbound connections to datahub[.]ink, cloud-sync[.]online, byte-io[.]us, apple.driver-store[.]com, apple.driver-update[.]io, and driver-updater[.]net at the DNS and firewall layer. The IP addresses 185.100.85.250, 84.32.83.250, 153.92.126.84, 45.45.217.242, 208.115.220.17, 185.175.59.85, and 89.36.224.5 are associated with JINX-0164 infrastructure.

npm package audit. Any developer or organization that installed @velora-dex/sdk must audit package-lock.json and node_modules/.package-lock.json for version 4.9.1. Run: npm ls @velora-dex/sdk. If version 4.9.1 is present, treat the system as compromised. Check dist/index.js of the installed package for appended code fetching external URLs not in the original source.

Browser extension audit. Review installed browser extensions against your organization's approved list. AUDIOFIX targets 51 crypto wallet extensions, any extension with unexpected permissions to read clipboard contents or access all URLs warrants immediate review. Use Chrome's chrome://extensions/ page with Developer mode enabled to inspect extension IDs and source URLs.

LinkedIn contact verification. Any unexpected LinkedIn meeting invitation from a cryptocurrency recruiter, investor, or business contact requesting a virtual meeting should be verified through a second channel (email, Slack, phone) before the meeting link is clicked. Confirm the meeting domain matches the stated platform's official domain before joining.

Immediate Defensive Steps

Organizations in the cryptocurrency and blockchain development sectors need to act on JINX-0164 cryptocurrency malware indicators now. The following steps address the confirmed attack vectors across the fake recruiter lure, npm supply chain, and credential exfiltration phases.

Audit @velora-dex/sdk immediately

Check all developer systems and CI/CD pipelines for @velora-dex/sdk version 4.9.1. Run npm ls @velora-dex/sdk across all repositories. Treat any system with version 4.9.1 present as potentially compromised and rotate all credentials on that system.

Block JINX-0164 domains and IPs at DNS and firewall

Add datahub[.]ink, cloud-sync[.]online, byte-io[.]us, apple.driver-store[.]com, apple.driver-update[.]io, and driver-updater[.]net to your DNS blocklist. Block IPs: 185.100.85.250, 84.32.83.250, 153.92.126.84, 45.45.217.242, 208.115.220.17, 185.175.59.85, 89.36.224.5.

Scan for anomalous coreaudiod processes

Run sudo find / -name "coreaudiod" -not -path "/usr/sbin/coreaudiod" 2>/dev/null on all macOS developer endpoints. Alert on any result. Legitimate coreaudiod is always at /usr/sbin/coreaudiod.

Rotate cryptocurrency wallet credentials and move funds

If any developer in your organization may have installed a malicious fix or driver update in the last 90 days, assume wallet seed phrases and private keys on that device are compromised. Move funds to a new wallet generated on a clean device before taking any other action.

Enforce hardware MFA for cryptocurrency custody access

SSH keys and browser session cookies stolen by AUDIOFIX bypass software MFA. Require FIDO2 hardware security keys (YubiKey, Titan) for all access to cryptocurrency custody systems, exchange admin panels, and cloud infrastructure holding wallet keys.

Verify virtual meeting invitations out-of-band

Require employees to confirm any unexpected virtual meeting invitation from an unknown contact through a separate verified channel before clicking meeting links. Flag all meeting domains that do not match the official domains of the stated service.

Audit browser extensions across crypto developer workstations

Pull the installed extension list from all developer Macs using mdm tooling. Remove any cryptocurrency wallet extension not on the approved list. Inspect extensions with read-all-sites permissions using Chrome Developer mode extension source review.

Why JINX-0164 Cryptocurrency Malware Matters for Your Organization

JINX-0164 represents the continued evolution of North Korean cryptocurrency theft operations from broad credential phishing toward surgical targeting of the professionals who hold custody of digital assets at scale. Every confirmed JINX-0164 intrusion targeted someone with direct access to wallet infrastructure, not peripheral staff. The @velora-dex/sdk supply chain attack demonstrates that the group's operational reach now extends beyond direct social engineering into passive compromise of the development toolchain itself.

The 51 cryptocurrency wallet extensions and 26 desktop wallet applications that AUDIOFIX targets by name represent a comprehensive attack surface map of the crypto custody ecosystem. This is not opportunistic malware, it is precision tooling built for the specific purpose of extracting cryptocurrency at the infrastructure level.

The threat is not confined to large exchanges. DeFi protocols, NFT platforms, blockchain infrastructure companies, and individual developers with significant cryptocurrency holdings are all within JINX-0164's confirmed operational profile. Any macOS developer who works in cryptocurrency and received an unexpected LinkedIn recruiter message or meeting invitation in the past six months should treat that interaction as a potential JINX-0164 contact.

Organizations in adjacent sectors, fintech, traditional finance firms with crypto custody programs, gaming companies with in-game currency systems, should also review their developer security posture against these indicators. The npm supply chain vector specifically does not discriminate by organizational sector: it targets any developer who installs the compromised package.

Immediate action on the IOCs, the npm package audit, and the coreaudiod process check costs minutes. Failing to act costs wallets.

The bottom line

JINX-0164 cryptocurrency malware is a confirmed active North Korea-linked campaign that has already conducted multiple intrusions at cryptocurrency organizations and compromised the @velora-dex/sdk developer toolchain. Three key takeaways: first, AUDIOFIX automatically exfiltrates 51 crypto wallet extensions and 7 browser credential stores in a single execution, any macOS developer who ran a fake driver fix is already compromised. Second, the npm supply chain attack requires no user interaction, if your CI/CD pipeline auto-resolved @velora-dex/sdk v4.9.1, rotate all credentials on that system now. Third, LinkedIn recruiter lures are the entry point, verify every unexpected meeting invitation through a second channel before clicking. Run the coreaudiod audit command today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is JINX-0164?

JINX-0164 is a previously undocumented, North Korea-linked threat actor that has targeted cryptocurrency organizations and software developers since at least mid-2025. Wiz researchers disclosed the group on May 28, 2026. The group uses fake LinkedIn recruiter lures and spoofed meeting domains to deliver two custom macOS malware families: AUDIOFIX, a Python-based stealer and remote access tool, and MiniRAT, a Go-based backdoor. JINX-0164's infrastructure is distinct from other tracked North Korean groups but its financial motivation and target selection match the established North Korean cryptocurrency theft playbook.

How does AUDIOFIX steal cryptocurrency wallets?

AUDIOFIX is a Python-based infostealer that on first execution automatically sweeps the infected Mac for 51 browser-based cryptocurrency wallet extensions (including MetaMask, Phantom, Coinbase Wallet, and Trust Wallet), 26 desktop wallet applications, credential stores in Chrome, Firefox, Safari, Brave, and Edge, SSH private keys, AWS and GCP authentication tokens, Discord and Slack tokens, and clipboard history. All stolen data is exfiltrated to three operator-controlled C2 domains over HTTPS. AUDIOFIX also accepts remote commands for shell execution and additional payload delivery.

How do I know if I'm affected by the @velora-dex/sdk supply chain attack?

Run npm ls @velora-dex/sdk in every project repository and CI/CD environment. If version 4.9.1 appears, that system installed the trojanized package. The malicious version appended three lines to dist/index.js that fetched and installed MiniRAT. Treat any system with version 4.9.1 as compromised: rotate all credentials on that machine, audit git commit history for unexpected changes, and check for outbound connections to datahub[.]ink and byte-io[.]us.

Is JINX-0164 a North Korean threat group?

Wiz researchers assess JINX-0164 as consistent with North Korean financially motivated threat clusters including BlueNoroff, Contagious Interview, and UNC1069, based on behavioral patterns, target selection, and tooling characteristics. However, JINX-0164's infrastructure has no confirmed overlap with previously tracked North Korean groups, so it represents either a new cluster or a deliberate infrastructure separation within the North Korean operational ecosystem. North Korean state-sponsored actors stole $1.3 billion in cryptocurrency in 2024 per Chainalysis.

How do I detect AUDIOFIX malware on macOS?

Run sudo find / -name "coreaudiod" -not -path "/usr/sbin/coreaudiod" 2>/dev/null, any result indicates an anomalous coreaudiod binary. Legitimate macOS coreaudiod is always at /usr/sbin/coreaudiod. Also check for outbound DNS queries to datahub[.]ink, cloud-sync[.]online, byte-io[.]us, and apple.driver-store[.]com in your DNS logs. Hash-match running Python processes against the known AUDIOFIX SHA-256: 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6.

What should I do if I downloaded a fake Teams fix or driver update?

Assume full compromise of the device and all credentials stored on it. Immediately move any cryptocurrency holdings to a new wallet generated on a clean, offline device. Rotate SSH keys, AWS/GCP tokens, exchange API keys, and any passwords stored in browsers on the compromised machine. Revoke active browser sessions for all financial and exchange accounts. Report the incident to your security team and preserve disk artifacts for forensic analysis before wiping the device.

Which cryptocurrency wallet extensions does AUDIOFIX target?

AUDIOFIX targets 51 browser-based cryptocurrency wallet extensions including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Exodus, Brave Wallet, OKX Wallet, Keplr, Rabby, and dozens more across Chrome, Firefox, Safari, Brave, and Edge. It also targets 26 desktop wallet applications including Electrum, Exodus desktop, Atomic Wallet, Ledger Live, and Trezor Suite. Any crypto wallet extension or application installed on the infected Mac is at risk of credential and key theft.

How do fake recruiter attacks work on macOS?

JINX-0164 operators create convincing LinkedIn profiles posing as cryptocurrency industry recruiters, investors, or business contacts. They send connection requests and meeting invitations to employees at targeted crypto firms. The meeting URL points to a domain that spoofs a legitimate teleconference service such as Microsoft Teams or Bitget. During the call, a staged technical error prompts the target to download a troubleshooting fix, typically a Python script or binary named to resemble a system driver. Running the fix installs AUDIOFIX or MiniRAT on the victim's Mac.

Sources & references

  1. Wiz, JINX-0164 Threat Actor Targets Crypto Organizations
  2. The Hacker News, JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
  3. Infosecurity Magazine, New Threat Actor Jinx-0164 Targets Crypto Developers on macOS
  4. CISA, Known Exploited Vulnerabilities Catalog
  5. MITRE ATT&CK, T1566.004 Spearphishing Voice

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.