A previously undocumented threat actor is conducting highly targeted attacks against cryptocurrency organizations, using fake recruitment opportunities, custom macOS malware, and software supply chain compromises to gain access to development environments and cloud infrastructure.
Researchers at Wiz Research have identified the group as JINX-0164, a financially motivated actor that has been active since at least mid-2025. Unlike many crypto-focused threat groups that target wallets and exchanges directly, JINX-0164 is going after the software development infrastructure that powers crypto companies.
The Attack Starts on LinkedIn
According to Wiz’s investigation, the threat actor’s operations begin with carefully crafted social engineering campaigns.
Developers and technical employees at cryptocurrency firms are approached on LinkedIn by profiles posing as recruiters, business partners, or industry professionals. The interactions often appear legitimate and may continue for days before the target is invited to a virtual meeting.
The meeting invitation directs victims to a website masquerading as a teleconferencing platform. However, instead of joining a video call, users unknowingly download malware specifically designed for macOS systems.
This level of targeting suggests the attackers have conducted reconnaissance beforehand and are deliberately selecting employees with access to development resources and sensitive corporate systems.
From Developer Laptop to Production Infrastructure
Once the malware is executed, attackers establish remote access to the compromised machine and begin harvesting credentials.
What makes JINX-0164 particularly dangerous is its focus on developer environments. Rather than stopping at endpoint compromise, the group pivots toward software repositories, build pipelines, cloud environments, and CI/CD systems.
Researchers observed attackers moving laterally from employee devices into development infrastructure, enabling them to access source code, authentication tokens, and deployment systems.
In at least one incident investigated by Wiz, the campaign escalated into a software supply chain attack, showing the potential for downstream impact beyond the initial victim organization.
A Shift in Crypto Threat Actor Tactics
Historically, many crypto-focused threat actors have concentrated on stealing digital assets directly through wallet compromise or exchange breaches.
JINX-0164 appears to be taking a different route.
By targeting developers and the systems they use to build and distribute software, the group gains access to a broader attack surface. Compromising a CI/CD pipeline can potentially provide access to production environments, customer-facing applications, and software updates distributed to thousands of users.
Custom Tooling and Long-Term Access
Wiz researchers noted that the actor relies on custom-built malware rather than publicly available tools. This enables the group to maintain stealth, evade traditional security controls, and adapt quickly when defenses change.
The malware serves as a foothold into the victim environment, after which the attackers focus heavily on credential collection and infrastructure access.
Particular attention appears to be paid to cloud resources and development secrets—assets that can provide privileged access across an organization’s environment.
Why Cryptocurrency Firms Are Being Targeted
Cryptocurrency companies remain among the most lucrative targets for cybercriminals.
Beyond direct access to digital assets, these organizations often manage large volumes of financial transactions, proprietary code, and privileged infrastructure. Developers within these firms frequently have access to production environments, signing keys, cloud platforms, and deployment pipelines.
For attackers, compromising a single engineer can become a gateway to an entire ecosystem.
