Last week, I lost my entire cryptocurrency portfolio - low six figures built over eight years. Not from a rug pull. Not from connecting to a malicious dApp. I never even had my wallet open. I've been in Web3 since 2017. Early Polygon investor. Mined ETH when it was still proof of work. Helped build the DeFi ecosystem on polygon and BSC. I believed in keeping assets on-chain rather than on centralized exchanges. That belief cost me everything. ━━━━━━━━━━━━━━━━━━━━ 𝗛𝗼𝘄 𝗜𝘁 𝗛𝗮𝗽𝗽𝗲𝗻𝗲𝗱 I came across a beta testing opportunity for a gaming project called "MetaToy" in a Telegram group. Professional website. Active Discord. GitBook documentation. A team member named "Shanni" (Telegram: @shannimt) who claimed to be "Cofounder Meta team" with credentials including work for @Persistenceone and @BitunixOfficial. They answered questions thoughtfully and didn't rush me. As someone who's evaluated countless Web3 projects, I thought I knew how to spot scams. This one looked legitimate. The fatal mistake: downloading their "game launcher" to test the beta. The moment I ran that installer, malware embedded itself in my system. Here's what makes this attack sophisticated: I never connected my wallet to anything. My antivirus Norton (don't you guys have a guarantee for this? I'm on 360 deluxe and scanned the file.) immediately flagged suspicious activity. I ran full system scans, boot-time scans, deleted every suspicious file and registry entry I could find. I thought I was safe. I even reinstalled windows (11) after enabling TPM2.0 and memory isolation. Twenty-four hours later, every single wallet connected to my Rabby and Phantom browser extensions was completely drained. Not just my main wallet - all of them. Police report Police report was made 2152 hours at 12 December Report number F/20251212/7113 @SingaporePolice looking forward for someone to get a hold of me - email, whatsapp etc. ITs been 3 days. The attacker may have offramped the funds already but the exchanges / trail are detailed below. @zaobaosg already gave me a call before anyone else. ━━━━━━━━━━━━━━━━━━━━ 𝗧𝗵𝗲 𝗖𝗼𝗹𝗹𝗮𝘁𝗲𝗿𝗮𝗹 𝗗𝗮𝗺𝗮𝗴𝗲 This wasn't just my money. I was diamond-handing tokens from friends' projects I believed in - @tpro_network , SBPgame.com , @NLGFoundation @xprotocol_org @dFusionAI . Projects I wanted to support through holding. All gone. I was a crypto angel investor with a portfolio built over eight years. Now I'm just a regular Joe starting from zero. ━━━━━━━━━━━━━━━━━━━━ 𝗧𝗵𝗲 𝗧𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝗥𝗲𝗮𝗹𝗶𝘁𝘆 The malware had already exfiltrated my encrypted wallet data before I even knew anything was wrong. All my cleanup efforts were already too late. The attacker waited patiently, decoded what they needed, and executed the theft when I thought the danger had passed. This wasn't a case of clicking "Approve" on a bad transaction. This was credential theft at the operating system level. My belief in self-custody over CEXs - something I'd advocated for years - backfired catastrophically. ━━━━━━━━━━━━━━━━━━━━ 𝗪𝗵𝘆 𝗜'𝗺 𝗦𝗵𝗮𝗿𝗶𝗻𝗴 𝗧𝗵𝗶𝘀 I'm a cofounder of RektSurvivor (rektsurvivor.com) - a free, non-profit community for people who've lost funds in crypto, built with Hsu-Chuan Li @_cryptobuddha of Offchain.Social. The irony is not lost on me. I've spent years helping others navigate these situations, and now I'm one of them. This is my second trip to rock bottom. When I left NTUC Club in 2013 to become an entrepreneur, I was negative $50k net worth. The difference is I was a lot younger then. I'm 44 now. ━━━━━━━━━━━━━━━━━━━━ 𝗙𝗼𝗿 𝗧𝗵𝗼𝘀𝗲 𝗪𝗵𝗼 𝗪𝗮𝗻𝘁 𝘁𝗼 𝗛𝗲𝗹𝗽 We've identified the attacker's primary wallet: 0xc17490aff678cc88712e117a413087949faba7e9 They've been off-ramping through three exchanges. Key transaction hashes for investigators: Cryptomus: 0x83ea24db8b7387100b7220f2eb9afb5f907af4987598000bf15d4db1303e8e6c Binance (via 0x19f4ceabd94b809d139377e96b8ecd2cc1e4beb7) WhiteBIT (via 0x19c5fb71f193c53ab893d69468b7e98dc8975664) A police report has been filed with Singapore Police Force. If you have any information about the person behind Telegram handle @shannimt or the MetaToy scam operation (metatoy.io - ⚠️ DO NOT visit, malicious site), please reach out. My original wallet address was 0xBb77eDa00654bb78aF2E1B9c40c14Df8Fc1e9bE9 - I'm "hawkerize" on DeBank. That identity is now a memorial to what I lost. Attack breakdown Initial Contact Phase Date/Time/Event 5 Dec 2025, 10:03 Victim contacts scammer (Telegram: @Hylo, username "Shanni") after seeing job posting in "memewonder" group for moderators/community managers and beta testers. 5 Dec 2025, 10:53 Scammer shares fraudulent project links: metatoy.io, x.com/MetaToyGame, discord.gg/metatoy 8 Dec 2025, 06:44 Scammer sends application form requesting personal info including ERC20 wallet address 9-10 Dec 2025 Ongoing communication; scammer offers job at $500-600/month with flexible hours Malware Delivery Phase Date/Time Event 11 Dec 2025, 08:05 Scammer tells victim to get "code for the launcher" from developer 11 Dec 2025, 08:10 Scammer provides code "eqpdra" and instructs victim to download launcher from website 11 Dec 2025, ~08:30 Victim downloads and installs malicious "MetaToy" launcher 11 Dec 2025, ~08:45 Norton Antivirus blocks credential theft attempts from "electroninstallationtelemetrylogsaver64" and "rmclient.exe" 11 Dec 2025, 09:05 Victim confronts scammer about malware detection; declines to continue Theft Execution Phase Date/Time Event 12 Dec 2025 Approximately 24 hours after malware installation, victim's Rabby and Phantom browser wallet extensions are drained 12 Dec 2025, 06:00-06:02 UTC-07:00 First wave of fund transfers to attacker consolidation wallet 0xc174...a7e9 12 Dec 2025, 20:13 Victim discovers theft and messages scammer on Telegram 12 Dec 2025 (ongoing) Attacker begins off-ramping stolen funds through multiple CEXs 4. MALWARE TECHNICAL DETAILS Delivery Method: Fake game launcher download from metatoy.io website, requiring invitation code "eqpdra" Malicious Components Identified: •        electroninstallationtelemetrylogsaver64 - Attempted browser credential theft •        rmclient.exe - Attempted browser credential theft via process injection •        Registry entry: HKEY_CURRENT_USER\Software\electroninstallation PIHTYW •        Installer folders in %AppData% and %LocalAppData% Malware Behavior: The malware targeted browser extension wallets (Rabby, Phantom) by attempting to access encrypted vault data and/or capturing credentials through process injection into legitimate Windows processes. Norton Antivirus blocked some credential theft attempts, but the malware likely exfiltrated wallet data before or through methods that evaded detection. ━━━━━━━━━━━━━━━━━━━━ 𝗙𝗔𝗤𝘀 𝗜 𝗞𝗻𝗼𝘄 𝗬𝗼𝘂'𝗹𝗹 𝗔𝘀𝗸 Did you connect your wallet to a dApp? → No. Never. Were you logged into your wallet when the attack happened? → No. I kept my wallet logged out from the moment Norton's initial alert triggered. Why didn't you use a burner wallet? → I wasn't connected to any dApp. I only installed what I thought was a game beta launcher. That was enough. Have I contacted the Exchanges → I have contacted Cryptomus so far on their contact form. And I have submitted a police report in Singapore, I have faith in our country's cybercrimes division. ━━━━━━━━━━━━━━━━━━━━ 𝗪𝗵𝗮𝘁 𝗜 𝗪𝗮𝗻𝘁 𝗬𝗼𝘂 𝘁𝗼 𝗧𝗮𝗸𝗲 𝗔𝘄𝗮𝘆 If you download and run any executable - even from a "legitimate-looking" project - you are exposed. Browser extension wallets are vulnerable to system-level malware regardless of whether you're logged in or connected to anything. Consider hardware wallets for anything significant. Treat every download as a potential attack vector. I already use redundant wallets, cold wallets, multisigs, have 2FA on everything, strong passwords, a password manager, airgapped physical recovery phrases. So believe me, you CAN BE A VICTIM still. And if you get rekt, know that you're not alone. RektSurvivor exists because this community is stronger together. ━━━━━━━━━━━━━━━━━━━━ 𝗔𝗰𝗸𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲𝗺𝗲𝗻𝘁𝘀 Blockchain forensic charts provided by Basel Ismail, Founder of @Blockcircle - thank you for the rapid analysis that helped trace the fund flows. To the RektSurvivor community members who reached out with support, emergency funds, and even job offerings - your kindness in my darkest moment means everything. Special thanks to Daniel Milton, Louis Chen, Jan Hanken of Arc Accelerator, John and Howie of @elephantsinc Elephants.inc, and @Jayz079 Jayz Nguyen of @ Ufin. ━━━━━━━━━━━━━━━━━━━━ If you've experienced something similar or want to learn more about protecting yourself, visit rektsurvivor.com 📷Maximize imageEdit imageDelete image #Web3Security #CryptoScam #InfoSec #RektSurvivor #CyberSecurity #Blockchain #CryptoSafety

Excited to be visiting team @CometWeb3Studio in Laos for Laos Blockchain Week for some exciting networking and Vibe Coding events w/ @COTInetwork!

Thanks to Country Partners (Laos) @CometWeb3Studio for leading an interesting event in the Yaru office this evening.

See y’all later at our comet and @YaruLabs event

Great seeing the hub of creators and builders starting to form as Yaru Create opens its doors to the local community in addition to those globally present.

💭 What’s an airdrop? Here’s the quick lowdown for anyone new to crypto 💸 #CryptoBasics #Airdrop #Web3 #Cometcrew

AI changed who can build. Social media changed who can be heard. Now, one person can build in a day what once took a team months. COTI's CEPO @JoshuaBMaddox leads the conversation on what this new era of creation means, at the ARC Start Up Accelerator Conference in @Aupp_kh, Cambodia. check it out 👇 $COTI