How a Singapore Crypto Founder Became the Latest Victim in a Sophisticated Malware Campaign

When Professional Appearance Isn’t Enough Protection

The crypto community has been warned again about the dangers of seemingly legitimate opportunities. Mark Koh, who founded RektSurvivor—an organization dedicated to supporting fraud victims—discovered this the hard way when he lost over $14,000 worth of cryptocurrency through an intricately designed scam.

On December 5, Koh encountered what appeared to be an exclusive beta testing opportunity for an online game called MetaToy, promoted through Telegram. Given his background evaluating and investing in Web3 projects, Koh found the proposition credible. The project’s website, Discord server, and responsive team members all presented a veneer of legitimacy that convinced him to proceed. The critical mistake came when he downloaded MetaToy’s game launcher—it contained hidden malware.

The Aftermath: How Security Measures Still Failed

What happened next reveals how sophisticated modern threats have become. Despite Norton antivirus flagging suspicious activities and Koh taking immediate action—running comprehensive system scans, removing flagged files and registry entries, and even performing a complete Windows 11 reinstallation—the damage was already done. Within 24 hours of these cleanup attempts, every wallet connected to his Rabby and Phantom browser extensions was completely drained.

The total loss: 100,000 yuan ($14,189) accumulated over eight years of crypto involvement.

“I didn’t even log into my wallet app. I had separate seed phrases. Nothing was saved digitally,” Koh explained to media outlets, highlighting just how invasive the attack was.

A Multi-Vector Assault

Koh’s analysis, combined with cybersecurity insights, suggests the attack employed multiple sophisticated techniques working in concert. The primary mechanism appears to have been authentication token theft from browser extensions. But the attackers also exploited a Google Chrome zero-day vulnerability discovered in September that permits execution of arbitrary malicious code.

The complexity of the operation became evident when Koh realized Norton had blocked two separate DLL (dynamic link library) hijacking attempts. The attackers had also implanted a malicious scheduled process, demonstrating that suspicious behavior emerged through multiple pathways, not just a single exploit vector.

Industry Context: Escalating Malware Sophistication

This case isn’t isolated. Throughout 2024, cybercriminals have escalated their tactics significantly. McAfee documented hackers weaponizing GitHub repositories to maintain persistent connections to banking malware infrastructure, ensuring their command servers remain operational even when security teams shut them down. The industry has also witnessed a surge in counterfeit AI tools designed to deliver crypto-stealing malware, fake CAPTCHA overlays, and malicious code injections targeting Ethereum browser extensions.

Advice for High-Value Targets

Recognizing that certain individuals—angel investors, developers, and beta testers—face elevated risk, Koh shared specific recommendations. For those who take standard security precautions but still want additional protection, he emphasizes a critical practice: actively removing and deleting seed phrases from browser-based hot wallets when they’re not actively in use.

Even more robust: use private keys instead of seed phrases for high-value accounts. This approach prevents derivative wallets from being compromised if the primary wallet is breached.

Broader Investigation and Similar Victims

Koh reported the incident to Singapore’s police force, which confirmed receiving his complaint. Another MetaToy victim, identified as Daniel and also based in Singapore, corroborated the scam’s existence. Notably, Daniel remained in contact with the perpetrators, who mistakenly believed he was still attempting to download the launcher. This detail underscores how calculated these operations are—attackers maintain engagement with potential victims, suggesting an organized campaign rather than ad-hoc exploitation.

What This Means for the Crypto Community

The MetaToy incident exemplifies a troubling pattern: when malicious actors combine professional web design with legitimate-seeming team communication, they successfully pass the initial screening most investors conduct. The lesson cuts deeper than “don’t download suspicious files.” It highlights that even paranoid security practices—antivirus software, system scans, complete OS reinstalls—may not be sufficient against attacks designed with multiple redundancies and exploiting zero-day vulnerabilities.

For crypto participants at all levels, the takeaway is clear: assume sophisticated attackers have access to advanced tools. Layer defenses accordingly, maintain strict seed phrase hygiene, and remain suspicious of any opportunity that feels too well-orchestrated, regardless of how legitimate the trappings appear.