New Threat Actor JINX-0164 Targets Cryptocurrency Organizations

New Threat Actor JINX-0164 Targets Cryptocurrency Organizations

First seen 28 May 2026, 12:13 UTC Infosecurity-MagazineGbhackersSocprimeCybersecuritynewsFeeds.Feedburner+8 83% similarity 70.5

Article Content

Browse articles
ThreatCluster

A new threat actor, JINX-0164, has been identified targeting cryptocurrency firms using custom macOS malware and social engineering tactics. Active since mid-2025, the group employs fake recruiter approaches to gain initial access. Victims are invited to virtual meetings on lookalike domains, where malware is installed under the guise of a technical fix. The malware, named Audiofix, is capable of stealing sensitive information such as credentials and cryptocurrency wallet details. JINX-0164 has also hijacked internal development pipelines, injecting malicious code into repositories, leading to further infections. The group has been linked to multiple incidents, including the trojanization of npm packages. Security experts recommend monitoring for specific indicators of compromise and enhancing logging practices. The threat remains active as of May 2026.

Key Points: • JINX-0164 targets cryptocurrency organizations using sophisticated social engineering. • The group employs custom macOS malware named Audiofix to steal sensitive credentials. • Infections spread through compromised development pipelines and trojanized npm packages.

ThreatCluster AI

Timeline

2025-04-07
Trojanized npm package discovered
Version 4.9.1 of @velora-dex/sdk was found to include malicious code fetching a backdoor.
Infosecurity-Magazine
2026-05-28
Public disclosure of JINX-0164 activities
Wiz published findings detailing the attack methods and tools used by JINX-0164 targeting crypto firms.
Wiz
Recent
JINX-0164 identified by Wiz
Wiz's analysis attributed multiple attacks to the previously unreported actor JINX-0164, active since mid-2025.
Wiz

Community

Browse all →