Crypto entrepreneur Mark Koh has lost more than $14,000 in crypto after unknowingly participating in a crypto fraud scheme

Singapore-based angel investor Mark Koh has lost thousands of dollars in digital assets after falling victim to malware disguised as a legitimate game. The entrepreneur revealed that he lost approximately $14,189 (100,000 yuan) in cryptocurrency that he had accumulated over the course of eight years.

Koh detailed his encounter on Monday on LinkedIn, which was later reported by the Lianhe Zaobao Newspaper. The digital asset investor confirmed that he didn’t lose his portfolio due to a crypto rug pull or from linking to a malicious dApp. He added that he hasn’t left his wallet open since his involvement in Web3 in 2017.

Koh regrets keeping his virtual assets on-chain

The early Polygon investor said he believed in crypto and helped build the DeFi ecosystem on Polygon and BSC. Koh revealed that his belief in keeping virtual assets on-chain instead of on centralized exchanges cost him everything.

The angel investor said he found a beta testing campaign for a gaming project called MetaJoy in a Telegram group. He confirmed that the campaign had a professional website, active Discord, and GitBook documentation.

A local newspaper revealed that Koh met a team member named Shanni, who claimed to be the co-founder of the Meta team. He saw that Shanni had listed some of his professional credentials, including from Persistence One and Bitunix Official. The entrepreneur added that he was also convinced since the team replied to his questions thoughtfully and didn’t rush him.

Koh argued that his numerous evaluations of Web3 projects gave him an edge in spotting scams. However, he acknowledged that the fatal mistake he made was downloading the MetaJoy game launcher, which is intended for testing beta versions. He noted that the malware in the game embedded itself in his system the moment he ran the installer.

The crypto entrepreneur said he was shocked by the sophistication of the attack, as he had never connected his wallet to anything. Koh added that his Norton antivirus,  which he’s on 360 deluxe, immediately flagged suspicious activity. 

He said he thought he was safe after deleting every suspicious file he could find in his registry entries. He added that he was even more confident about his safety after enabling TPM 2.0, memory isolation, and reinstalling Windows 11.

Koh found that all wallets connected to his Rabby and Phantom browser extensions had been completely drained just 24 hours after the incident. He also acknowledged that not just his main wallet, but all of them.

“The malware had already exfiltrated my encrypted wallet data before I even knew anything was wrong. All my cleanup efforts were already too late. The attacker waited patiently, decoded what they needed, and executed the theft when I thought the danger had passed.”

–Mark Koh, Co-Founder of RektSurvivor. 

Koh filed a police report at 21:52 hours on December 12 under Report number F/20251212/7113. He said he has been waiting for someone from the Singapore Police Force to contact him for the last three days. 

Attacker offramps stolen funds through CEXs

Koh said his involvement in the project stemmed from his belief in TPRO Network, SBP Game, and NeverLetGo. He added that he planned to support those projects by holding their crypto assets.

The angel investor believes the incident was credential theft at the operating system level. He also said his belief in self-custody over centralized exchanges, which he had advocated for years, backfired immediately.

The co-founder of RektSurvivor said his firm helps people who’ve lost funds in crypto, but he’s now one of the victims. The entrepreneur believes that the attacker may have sent the funds to other exchanges, including Cryptomus, Binance, and WhiteBIT. Koh followed on-chain data identified the attacker’s wallet (0xc17490) and included the DeBank link for the transactions.

If you're reading this, you’re already ahead. Stay there with our newsletter.