Singapore Entrepreneur Loses Entire Crypto Portfolio After Downloading Fake Game

A Singapore-based entrepreneur has lost a six-figure sum in crypto after falling victim to malware disguised as an elaborate game-testing scam.

Mark Koh, the founder of victim-support organization RektSurvivor, detailed his experience in an interview with Lianhe Zaobao and in a LinkedIn post.

The two accounts describe that on December 5, Koh came across a beta testing opportunity on Telegram for an online game called MetaToy.

Koh, who has invested in and evaluated numerous Web3 projects, was convinced that the MetaToy game was legitimate, based on the professional appearance of its website and Discord, and based on the responsiveness of team members.

However, Koh reports that downloading MetaToy’s game launcher resulted in malware being uploaded to his computer.

His Norton antivirus did flag suspicious activity on his PC, and Koh took the steps of running full system scans, deleting suspicious files and registries, and even reinstalling Windows 11.

Yet within 24 hours of doing this, every single software wallet he had connected to his Rabby and Phantom browser extensions was drained of all available funds, which amounted to $14,189 (100,000 yuan) in crypto that he had accumulated over eight years.

“I didn’t even log into my wallet app. I had separate seed phrases. Nothing was saved digitally,” he told Decrypt.

Koh also tells Decrypt that the attack was most likely a combination of an authentication token theft, as well as a Google Chrome zero-day vulnerability that was first discovered in September and that can enable the execution of malicious code.

He also underlines the fact that the exploit likely had multiple attack vectors, given that he had scanned all identifiably suspicious files and that his Norton antivirus managed to block two DLL (dynamic link library) hijack attempts.

“So it had multiple vectors and also implanted a malicious scheduled process too,” he added.

In the face of this apparent sophistication, Koh said potential targets—especially angel investors or developers likely to download beta launchers—take extra safety measures.

“So I would advise even if the usual precautions are taken to actually remove and delete seeds from browser-based hot wallets when not in use,” he said. “And if possible use the private key, not the seed, because then all the other derivative wallets won’t be at risk.”

Koh has reported the fraud to the Singapore police, which confirmed to the Chinese-language Lianhe Zaobao newspaper that it has received a corresponding report.

The RektSurvivor founder also put Decrypt in contact with Daniel, another victim of the MetaToy exploit, who was also based in Singapore.

The other victim told Decrypt that he was still in contact with the scammer, who was under the impression that he, Daniel, was still trying to download the game launcher.

The MetaToy exploit comes as cybercriminals use increasingly sophisticated techniques to infect computers with malware.

In October, McAfee discovered that hackers were using GitHub repositories to enable its banking malware to connect to new servers whenever a previous server is taken down.

Similarly, this year has witnessed the use of fake AI tools aimed at spreading crypto-stealing malware, as well as the use of fake Captchas and malicious pull requests inserted into Ethereum code extensions.