Hackers Use Fake LinkedIn Jobs to Steal Crypto Developer Code Pipelines

A previously undocumented threat actor is systematically targeting cryptocurrency developers through fake LinkedIn recruitment campaigns, installing custom malware on their computers, and then using that access to compromise the company's entire software development infrastructure. Security firm Wiz has named the group JINX-0164 and has been tracking it since at least mid-2025. The group has conducted multiple successful intrusions against cryptocurrency organisations, in at least one case attempting a full supply chain attack by distributing malicious code through a widely used public package. The timeless lure of a recruiter slide-DM, it seems, still pays dividends.

How the Attack Works The attack follows a consistent pattern across every documented case:

• A credible LinkedIn profile reaches out with a job opportunity or business proposal.
• The target is invited to a virtual meeting through what appears to be Microsoft Teams or a similar platform.
• The meeting link leads to a fake domain where a malicious file is downloaded under the guise of fixing an audio or technical problem — because nothing says "hire this candidate" like solving the interviewer's mic issues.
• The file installs AUDIOFIX, a custom Python-based malware with full remote access capabilities.
• Attackers harvest passwords, SSH keys, browser credentials, cryptocurrency wallet extensions, AWS and cloud API keys, and active sessions from Discord, Slack, and Telegram.
• GitHub tokens extracted from the compromised machine are used to access internal code repositories.
• Malicious code is injected directly into the development pipeline, infecting every other developer who pulls from those repositories.

The entire process from initial LinkedIn contact to full pipeline compromise took two weeks in one documented case.

The Supply Chain Attack On April 7, 2026, JINX-0164 trojanised version 9.4.1 of the npm package @velora-dex/sdk, a widely used cryptocurrency SDK. Three lines of malicious code were appended to the package that silently downloaded a lightweight backdoor called MINIRAT whenever the package was imported by any developer. The attack targeted npm credentials rather than the GitHub source code, meaning the repository appeared clean while the published package was compromised. Three lines of code, thousands of downstream installs — a respectable return on investment.

Related: FIFA World Cup 2026 Turns Into Crypto Prediction Battleground

Why Developers Are the Target Developer machines hold credentials for every system the developer touches: cloud infrastructure, code repositories, package managers, internal APIs. JINX-0164 showed almost no interest in traditional cloud resources after gaining access. Their focus was exclusively on code distribution systems and development infrastructure, the most efficient path to reaching thousands of end users through a single trusted package. Hackers, it turns out, are also into yield farming — just not the kind that pays out in tokens.

What to Watch For Wiz identified several indicators that helped detect the attack, including unverified commit badges on GitHub's Vigilant Mode, mismatches between GPG key history and commit authors, and git push activities traced back to a single compromised endpoint through audit logs. The group routes all activity through Mullvad, Astrill, and ExpressVPN to mask their origin. While no definitive attribution has been confirmed, Wiz noted tactical similarities to North Korean threat groups including UNC1069 and Sapphire Sleet, though no infrastructure overlap with known groups has been identified.

Related: Michael Saylor Outlines the Four Bitcoin Ideologies