Mark Koh, a 44-year-old Singapore-based angel investor and co-founder of the victim support group RektSurvivor, recently fell victim to an elaborate malware scam that drained his cryptocurrency holdings worth S$100,000 (US$14,189).
The loss came after Koh, an experienced Web3 investor, downloaded a beta game launcher for an online game called MetaToy.
Mark Koh (left) with the man behind the internet meme ‘Hide the Pain Harold’. (Source: Mark Koh’s Linkedin)
Koh encountered the opportunity on Telegram on 5 December, where he was approached by a user named “Shanni,” claiming to be a co-founder of the MetaToy project.
He told a local news media,
“As someone who has evaluated countless Web3 projects, I believed I could identify scams, and this project looked legitimate.”
The professional appearance of the project’s website, Discord server, and the patient responses from the team convinced him to proceed.
Source: Mark Koh’s Linkedin
After downloading the game launcher, Koh’s Norton antivirus flagged suspicious activity.
He performed full system scans, deleted flagged files and registries, and even reinstalled Windows 11.
Despite these precautions, within 24 hours, all software wallets connected to his Rabby and Phantom browser extensions were emptied.
Koh, who had accrued these assets over eight years, was shocked:
“I didn’t even log into my wallet app. I had separate seed phrases. Nothing was saved digitally.”
Koh believes the attack exploited multiple vectors, including a combination of stolen authentication tokens and a Google Chrome zero-day vulnerability first discovered in September.
He noted that the malware implanted scheduled processes and attempted DLL hijacks, both of which were partially blocked by his antivirus.
Koh urged other potential targets, particularly angel investors and developers likely to download beta launchers, to take extra safety measures.
“So I would advise even if the usual precautions are taken to actually remove and delete seeds from browser-based hot wallets when not in use. And if possible use the private key, not the seed, because then all the other derivative wallets won’t be at risk.”
The incident has been reported to the Singapore police, who confirmed receipt of the report to the local news media.
Source: Mark Koh’s Linkedin
Another Singapore-based victim of the MetaToy exploit noted that the scammer remained in contact under the impression the victim was still attempting to download the launcher.
Koh’s experience highlights how cybercriminals are increasingly using sophisticated techniques to infiltrate systems.
Despite using multiple wallets, multi-signature setups, two-factor authentication, and air-gapped recovery phrases, he became a victim.
He reflected,
“I already use redundant wallets, cold wallets, (multi-signatures), have 2FA on everything, strong passwords, a password manager, air gapped physical recovery phrases. So believe me, you can be a victim still.”
The case illustrates how even experienced investors can fall prey to cybercriminals leveraging professional-looking online projects.
Koh’s story serves as a warning for cryptocurrency users to remain vigilant and to minimise digital exposure of assets, especially when using browser-based wallets.
Koh, who co-founded RektSurvivor to support victims of cryptocurrency fraud, now finds himself among those he once helped.
He wrote on LinkedIn,
“The irony is not lost on me. I’ve spent years helping others navigate these situations, and now I’m one of them.”
He hopes sharing his story will encourage others to take extra precautions and be mindful of the increasing sophistication of crypto scams.
Hong Kong’s Legislative Council has passed the Stablecoins Bill, paving the way for licensed fiat-backed stablecoin issuers by year-end. As global economies grapple with regulation, Hong Kong is moving swiftly to position itself as a leading Web3 hub in the digital finance race.
KikyoOpenAI has bought Jony Ive’s startup io for $6.5 billion to help design new AI-powered hardware. The deal brings together top product design and AI to explore devices beyond the smartphone.
JoyMitroplus Labs founder Festo Ivaibi was abducted on 17 May and forced at gunpoint to transfer $500,000 in crypto. The firm says Uganda has seen over 48 similar, often unreported, attacks—part of a growing global trend of crypto-linked kidnappings and extortion.
KikyoAmalgam Capital Ventures’ founder has been indicted on federal charges—including wire fraud, securities fraud, and identity theft—for allegedly defrauding investors of over $1 million through a fake blockchain project.
KikyoShopify has launched new AI tools that let merchants build online stores using just keywords and manage design without coding. It also updated its assistant and theme system to make running a shop easier, faster, and more cost-effective.
WeatherlyCrypto.com has obtained a MiFID license to offer crypto derivatives across the EEA, building on its MiCA registration and reinforcing its push into regulated European markets.
CatherineBuilder.ai is facing bankruptcy after a major creditor seized most of its funds, leaving the company with very little cash to operate. Problems with its business model, management changes, and financial troubles led to this situation.
AnaisMicrosoft and global partners shut down Lumma Stealer by seizing nearly 2,300 domains and disrupting its command servers, stopping hackers from stealing data worldwide. The malware targeted hundreds of thousands of devices, including cryptocurrency wallets, showing how cybercrime tools are becoming easier to access and harder to fight.
AnaisA leaked call between OpenAI’s Sam Altman and ex-Apple designer Jony Ive hints at a pocket-sized, screen-free AI device designed for seamless daily use. Though details remain scarce, the collaboration has sparked speculation about a new wave of AI-native hardware.
CatherineKraken is launching over 50 tokenised U.S. stocks like Apple and Tesla for non-U.S. investors, using the Solana blockchain. These tokens are backed 1:1 by real shares held by Backed Finance, allow 24/7 trading, and can be used in DeFi platforms.
Weatherly