Elastic analyzed a REF9134 intrusion at a prominent Japanese cryptocurrency exchange where an adversary used JOKERSPY components on macOS systems. The activity involved the self-signed Swift binary xcc, which checked permissions such as Full Disk Access, Screen Recording, Accessibility, screen lock state, and attempted TCC database manipulation to evade user prompts. A Python backdoor named sh.py loaded configuration from ~/Public/Safari/sar.dat, beaconed to configured C2 infrastructure, gathered host information, and supported commands for shell execution, file upload and download, configuration changes, and Python code execution. The same activity deployed Swiftbelt to /Users/shared/sb for macOS post-exploitation enumeration, suggesting an intrusion chain focused on reconnaissance, permission abuse, and follow-on access within a cryptocurrency target.