Crypto Developers Targeted by JINX-0164 Hackers Through Fake LinkedIn Meetings

A group of hackers known as JINX-0164 has been targeting crypto developers through fake LinkedIn meeting invites that lead to macOS malware infections. The campaign, which began in mid-2025, uses professional-looking profiles and social engineering tactics to deliver custom malware called AUDIOFIX.

The attackers send victims links to fake video meeting pages that prompt them to run what appears to be a tool needed for the call. However, the link delivers AUDIOFIX, a custom macOS malware strain designed to run on both Intel and Apple Silicon Macs.

Once inside a machine, AUDIOFIX collects saved passwords from the macOS Keychain, browser credentials, SSH keys, cloud access tokens, and crypto wallet data. The attackers also directly phish for passwords and store them in encoded files.