A campaign to expose an ongoing threat within Web3 was recently illustrated by Singaporean entrepreneur Mark Koh’s actual loss of his entire cryptocurrency wallet to a complex scam that uses malware presented as a beta-testing opportunity. According to the report, Koh, a long-time investor and founder of RektSurvivor (an error-help organization), had downloaded a game launcher that became a “Trojan Horse” for hackers looking to gain control of his cryptocurrency. Within only months of operating within the Web3 ecosystem, Koh lost about $14,189 (CNY100,000) due to downloading a game launcher that turned out to be a Trojan horse.
The attack against Koh demonstrated a new trend of so-called “social-engaged” attack-types that are being increasingly used against software developers and early adopters, who have typically been exposed to new software. Even with his years of experience and many Web3 projects vetted by standard cybersecurity protocols, Koh had all of his investments stripped away, which is due to social engineering techniques.
The “MetaToy” Trap
According to Koh, who detailed the harrowing experience in an interview with Lianhe Zaobao and on LinkedIn, the scam began on December 5. He encountered an opportunity on Telegram to beta test a new online game titled “MetaToy.”
To a casual observer, the project appeared legitimate. The professional design of the website and having a Discord server with active members indicated the Indie Crypto project was credible to investors, therefore Koh was persuaded to download the launcher for the game, which is typically a routine part of due diligence for an investor. This action, however, became a costly mistake for him.
Bypassing the Digital Defenses
Koh immediately ran into trouble following a download because he had Norton Antivirus installed on his system, and it quickly flagged some activity that was suspicious enough for him to take action to defend himself against the activity that was happening on his computer. He ran full system scans, deleted the flagged files and registry entries, and went as far as reinstalling his Windows 11 operating system to ensure a clean slate.
However, these measures were insufficient. Within 24 hours of the initial infection, Koh discovered that every software wallet connected to his browser extensions—specifically Rabby and Phantom—had been drained of all available funds.
“I didn’t even log into my wallet app. I had separate seed phrases. Nothing was saved digitally,” Koh told Decrypt. The theft occurred without him manually authorizing any transactions, suggesting a highly invasive form of malware.
A Technical “Double-Tap”
Koh believes the attackers used an advanced and complex mix of exploits to launch their attack. The type of malware Koh suspects may have been used for the attack was a type of malware known as “a token theft,” which allowed the attackers access to Koh’s currently logged-in web browsers on his device. In addition to Koh’s suspicions concerning the use of a token theft (malware), Koh also mentioned a probable zero-day vulnerability (Google Chrome) that was reported by a third party in September 2025 (the vulnerability was unknown to Google at that time) which allowed the malware to bypass the browser’s security sandboxes and obtain access to the encrypted data (private keys) stored within Koh’s wallet extensions.
The malware used in this attack exploited a number of different channels to infiltrate the target, which demonstrates how complex this attack was. Even though Koh’s antivirus managed to block two DLL (dynamic link library) hijack attempts, a malicious scheduled process had already been implanted deep within his system, waiting to execute the theft.
A Warning for “Hot Wallet” Users
Koh’s concern over the incident is an indication to the cryptocurrency communities and in particular angel investors and developers who consistently stay connected with up-and-coming protocols. The primary lesson, he argues, is that browser-based “hot wallets” are inherently vulnerable if the underlying operating system is compromised.
“I would advise even if the usual precautions are taken to actually remove and delete seeds from browser-based hot wallets when not in use,” Koh advised. He suggests that users should rely on private keys rather than seed phrases for specific wallets, as this compartmentalizes risk—compromising one private key does not necessarily expose an entire tree of derivative wallets.
The Broader Threat Landscape
Koh reported the crime to Singapore’s police department (who confirmed the case to local news agencies), and also spoke with another victim named “Daniel” who stated that the scam artists were still trying to lure him back into downloading the launcher following the theft of his coins. This exploit is just one of many malware campaigns aimed at the cryptocurrency space that started popping up in 2025. Cybercriminals are increasingly moving away from simple phishing emails and toward elaborate ruses involving fake AI tools, compromised GitHub repositories, and fraudulent game betas. By embedding malware in software that users are intended to download and run, attackers bypass the skepticism usually applied to unsolicited links.
As the industry grapples with these threats, the “MetaToy” incident serves as a grim proof-of-concept: in the current landscape, even a complete operating system reinstall may not be fast enough to outrun a drainer.
