Mark Koh lost six-figure amounts of cryptocurrency after downloading a fake MetaToy game launcher containing sophisticated malware capable of stealing wallet information even when the wallet was not open.
A Singaporean businessman fell victim to a sophisticated scam, losing his entire portfolio of cryptocurrency assets after downloading malware disguised as a demo game. This incident once again highlights the growing danger ofcyberattacks targeting the cryptocurrency community.
Mark Koh, founder of the victim support organization RektSurvivor, Chia his experience in an interview with Lianhe Zaobao and on LinkedIn. On December 5th, Koh came across a beta testing opportunity on Telegram for an online game called MetaToy, a name that was later identified as a highly professional scam.
As an experienced investor who had invested in and vetted numerous Web3 projects, Koh believed MetaToy was legitimate based on the professional appearance of its website and Discord server, along with the quick responses from its team members. However, downloading MetaToy's game launcher resulted in malware being installed on his computer.
Malware can bypass multiple layers of protection.
Despite Norton antivirus warnings about suspicious activity and Koh taking all necessary precautions such as a full system scan, deleting suspicious files and registry entries, and even reinstalling Windows 11, within 24 hours all the software wallets he had connected to the Rabby and Phantom browser extensions were emptied. The total loss amounted to $14,189, equivalent to eight years' worth of cryptocurrency assets he had accumulated.
Notably, Koh didn't even log into his wallet app, and the recovery phrase was stored separately, nothing was saved as a number. He said the attack was most likely a combination of authentication token theft along with a Google Chrome zero-day vulnerability first discovered in September, which could allow malicious code execution.
Koh emphasized that this attack had multiple attack vectors, as he scanned and processed all identifiable suspicious files, and Norton blocked two attempts to hijack the dynamic link library. The malware also installed a malicious scheduled process, demonstrating the complexity of the attack.
Given the level of sophistication, Koh advises potential targets, especially angel investors or programmers capable of downloading beta launchers, to take additional security measures. He recommends that even with standard precautions in place, recovery phrases should be removed and deleted from browser-based hot wallets when not in use. If possible, private keys should be used instead of recovery phrases to avoid putting other Derivative wallets at risk.
Koh reported the incident to the Singapore police, who confirmed to Lianhe Zaobao that they had received the report. Koh also connected with another victim named Daniel, also residing in Singapore, who is in contact with the scammer to gather more information.
This incident occurs against the backdrop of cybercriminals using increasingly sophisticated techniques. In October, McAfee discovered hackers using GitHub repositories to connect banking malware to new servers whenever the previous server was taken down. This year has also seen the use of fake AI tools to spread malware that steals crypto assets, along with fake captchas and malicious pull requests embedded in Ethereum code extensions.
