Victims in Singapore lost at least $1 million between May and July 2026 to impersonation scams involving Microsoft and Crypto.com, according to the Singapore Police Force (SPF). The fraudulent schemes utilized social engineering and deceptive communications to trick individuals into transferring funds to unauthorized accounts.
This isn’t a sophisticated zero-day exploit. It’s a classic human-layer failure. The attackers aren’t breaking the encryption; they’re breaking the user.
How the Impersonation Mechanics Work
The SPF reports that scammers posed as representatives from Microsoft and Crypto.com to gain trust. In these scenarios, the “attacker” typically initiates contact via phone calls or messages, claiming a security breach or a mandatory account update. Once the victim is hooked, the scammer directs them to move assets to a “secure” wallet or pay a “fee” to resolve a fictitious technical issue.

From a technical standpoint, these attacks leverage the psychological gap between a user’s trust in a brand and their understanding of Common Vulnerabilities and Exposures (CVE). While the software remains secure, the delivery mechanism—often SMS or WhatsApp—bypasses the secure channels of the actual platforms. The scammers rely on the fact that most users cannot distinguish between a legitimate corporate API notification and a spoofed message.
The financial drain is significant. The SPF confirmed the losses exceed $1 million, marking a sharp spike in targeted impersonation since May.
Why Crypto Wallets are the Primary Target
The choice of Crypto.com as a target isn’t accidental. Cryptocurrency transactions are immutable. Once a victim sends funds to a scammer’s wallet address, there is no “undo” button or centralized authority to reverse the transaction. This is the fundamental tension of decentralized finance: the same lack of a middleman that provides privacy also removes the safety net.

- Irreversibility: Unlike a credit card chargeback via a bank, blockchain transfers are final.
- Anonymity: Scammers use “mixers” or rapid-fire transfers across multiple chains to obfuscate the money trail.
- Urgency: The scams create a “false crisis,” forcing users to act before they can verify the claim via official support channels.
This mirrors a broader trend in cybersecurity where the “human firewall” is the weakest link. Even with OWASP-standard security implementations on the backend, a user handing over a seed phrase or transferring funds via a social engineering prompt renders the technical security moot.
The Infrastructure of the Scam
These operations typically function as “scam-as-a-service” hubs. The attackers likely use VoIP (Voice over IP) services to spoof local Singaporean phone numbers, making the calls appear legitimate. They often employ “pig butchering” tactics—building a rapport with the victim over days or weeks—before introducing the “investment opportunity” or “security alert” that leads to the theft.
For those using Microsoft services, the scams often mimic “Technical Support” alerts. These are usually delivered via pop-ups or emails that claim the user’s PC is infected with a virus, leading them to a fake support number. This is a legacy attack vector that has evolved to include demands for payment in cryptocurrency or gift cards.
The shift toward crypto payments for these scams allows attackers to bypass the FBI’s and Interpol’s ability to freeze traditional bank accounts in real-time.
Mitigation and Enterprise Defense
To counter these threats, the SPF and cybersecurity agencies emphasize a “Zero Trust” approach to unsolicited communications. If a service provider asks for a password, seed phrase, or an immediate transfer of funds via a non-official channel, it is a red flag.

For the technical user, the defense is simple: always verify the identity of the requester through an independent, authenticated channel. This means logging into the official website manually rather than clicking a link in an email or following a prompt from a phone call.
Enterprise-level mitigation involves implementing FIDO2-compliant hardware security keys. While these don’t stop a user from voluntarily sending money to a scammer, they prevent the initial account takeover that often precedes the impersonation phase.
The SPF continues to investigate the cases and urges the public to report suspicious activity immediately. The $1 million loss is a stark reminder that as the technical barriers to entry for hackers rise, the focus shifts back to the most vulnerable component of any system: the person operating it.