Cybercriminals are targeting cryptocurrency firms with fake job interviews, malicious meeting apps, and stealthy macOS malware designed to steal digital assets.
Attackers Use Fake Recruiters to Target Crypto Firms
A newly discovered threat group called JINX-0164 is targeting cryptocurrency companies and software developers through fake recruitment campaigns.
The attackers create convincing recruiter profiles on LinkedIn and contact employees working in crypto and blockchain organizations. They offer fake job opportunities and invite victims to attend virtual interviews.
However, the interview process is part of a carefully planned cyberattack.
Fake Meeting Apps Install Malware
During the fake interview, victims are redirected to a fraudulent meeting website. The site looks like a legitimate video conferencing platform.
The website then displays a fake technical issue. Victims are instructed to download an audio or meeting fix to continue the interview.
Once installed, the file silently deploys a macOS malware strain called AUDIOFIX.
Researchers found that the malware works on both Intel-based Macs and Apple Silicon systems. The malware disguises itself as a legitimate system process to avoid detection.
Malware Steals Sensitive Information
After infecting the device, the malware begins collecting sensitive data from the victim’s system.
The attackers steal:
- Browser credentials
- Password manager data
- SSH keys
- iCloud Keychain files
- Administrator credentials
- Console history logs
- Discord, Slack, and Telegram sessions
The campaign also targets cryptocurrency wallets and browser wallet extensions. In addition, attackers search for development environment files and internal configuration data.
Attackers Target Development Infrastructure
Researchers discovered that JINX-0164 also attempts to move deeper into company environments.
The attackers use compromised employee devices to access internal development systems and CI/CD infrastructure. In one reported case, the threat actor attempted a supply chain attack by modifying source code.
This technique could allow the malware to spread to additional systems and potentially steal wallet credentials from other users.
MiniRAT Linked to the Campaign
Researchers also connected the campaign to a malware tool called MiniRAT.
MiniRAT is a Go-based backdoor that was previously distributed through a compromised npm package linked to decentralized finance software.
The malware allows attackers to:
- Execute shell commands
- Upload files
- Download additional payloads
- Maintain remote access to infected systems
Similarities to North Korean Threat Operations
Some techniques used in this campaign resemble tactics linked to North Korean cyber groups that target cryptocurrency companies.
The attackers use fake recruiters, spoofed domains, and social engineering methods similar to previous crypto-focused operations.
However, researchers have not confirmed a direct connection between JINX-0164 and known nation-state threat groups.
Why This Campaign Matters
This campaign shows how attackers continue targeting the cryptocurrency sector through social engineering and supply chain attacks.
Remote hiring processes create new opportunities for cybercriminals to trick employees into installing malware. Developers and technical staff remain high-value targets because they often have access to sensitive systems and digital assets.
Organizations should strengthen endpoint security, monitor developer environments, and verify recruitment communications carefully. Additionally, security awareness training can help employees identify fake interview scams before attackers gain access.