The Singapore Police Force (SPF) would like to alert members of the public and businesses of cryptocurrency scams involving malicious links and unauthorised transactions, which have resulted in significant financial losses. Scammers are increasingly leveraging online platforms and messaging services to deceive victims and compromise their cryptocurrency holdings. Members of the public are advised to remain vigilant against the following scam variants.
Permit Signature Exploitation via Social Engineering
In this variant, victims are first contacted by scammers posing as clients or business associates, often through messaging platforms such as Telegram. The scammer proposes a video call and shares a link to join via a web browser (refer to Annex A). Upon clicking the link, victims encounter a pop-up message falsely stating that a software component on their device has expired and requires updating. Victims are then instructed to download a file and execute commands on their computer, unknowingly installing malware that compromises their devices. With the malware in place, the attacker is positioned to monitor the victim's cryptocurrency activity and intercept wallet credentials.
The attacker then exploits this access by deceiving the victim into approving a "permit signature" - a feature that allows users to pre-authorise a future cryptocurrency transaction by signing a message off-chain. By approving such requests, victims may unknowingly allow scammers to carry out future cryptocurrency transactions from their wallets without further approval, even if a hardware wallet is used. As no funds are transferred immediately, victims may not realise that they have given scammers access to their assets. The stolen cryptocurrency may then be moved through various platforms to make it harder to trace and recover.
World Cup-Themed Cryptocurrency Scam
Scammers may also leverage ongoing major events to target cryptocurrency users, such as the FIFA World Cup 2026.
Fraudulent websites may advertise FIFA World Cup tickets or official merchandise for purchase using cryptocurrency. Scammers create authentic-looking FIFA or World Cup-themed ticketing sites offering “exclusive” tickets and direct victims to pay using cryptocurrencies such as Bitcoin or USDT. Once payment is made, the goods are not delivered, and the fraudulent websites are subsequently taken down. Recovering funds is often challenging.
The Police have also observed scam variants involving fake "Official World Cup Tokens" or fan coins fraudulently marketed as official or team-affiliated digital assets. Victims may be misled into investing in these tokens, whose value is artificially inflated before scammers sell off their holdings, causing prices to collapse.
Victims searching for free World Cup streaming services may be redirected to phishing websites that prompt them to connect their cryptocurrency wallets, make cryptocurrency payments, or install malware. These sites may compromise credentials, financial information, or cryptocurrency assets. In some cases, AI-generated deepfake content featuring athletes or celebrities has been used to promote such fraudulent platforms, making them appear more convincing.
SPF would like to advise cryptocurrency users to adopt the following precautionary measures:
- Use Secure Wallets: Store cryptocurrencies in hardware wallets where possible, as these are less vulnerable to online attacks. If frequent transactions are required, use software wallets from reputable or regulated service providers to ensure wallets and applications are kept updated with the latest security patches. However, users should note that some hardware wallets may display limited transaction details when approving signing requests, which may increase the risk of inadvertently authorising malicious transactions. Therefore, users should carefully review every signing request before approving it.
- Use Strong Passwords and Enable Two-Factor Authentication (2FA): Set strong, unique passwords for all wallets and exchange accounts. Always enable 2FA for cryptocurrency-related accounts, and where possible, use an authenticator application rather than SMS-based verification, which is more susceptible to interception.
- Use Trusted and Regulated Cryptocurrency Platforms: Where possible, consider using cryptocurrency service providers that are licensed or regulated by the Monetary Authority of Singapore (MAS).
- Protect Your Seed Phrase: Do not enter your seed phrase on any website, application, or device that you do not fully trust. Legitimate wallet applications will not request your seed phrase outside of secure wallet setup or recovery processes. Your seed phrase should only ever be entered directly on the hardware wallet device during initial setup or when recovering your wallet. Store it in physical form (e.g., written on paper) at a secure location and do not share it with anyone.
- Beware of Phishing Attempts: Do not run unknown commands on your computer, click on unsolicited links, or download attachments from unknown sources, even if they appear to come from familiar contacts. Always verify links and websites against official sources before accessing any cryptocurrency platform. Be cautious of cryptocurrency opportunities that require upfront cryptocurrency payments or sound too good to be true.
- Verify Platforms and Transactions: Always access cryptocurrency platforms through official websites or applications. Avoid clicking on links provided via unsolicited messages or advertisements. Carefully review transactions and signing requests before approving them, especially when interacting with unfamiliar platforms.
- Stay Updated and Informed: Keep up to date with the latest security threats and best practices in cryptocurrency security through official and trusted sources. Regularly review and revoke permissions previously granted to websites or applications to access your cryptocurrency assets, particularly when using trading or DeFi platforms. Where significant sums are involved, consider conducting additional due diligence before using new platforms or approving unfamiliar transaction requests.
If you are or suspect that you are a victim of cryptocurrency-related crime, take the following steps immediately:
- Contact your cryptocurrency exchange to halt further transactions or freeze your account, where possible.
- Review and revoke any suspicious token approvals using your wallet interface or a blockchain explorer.
- If your wallet's seed phrase has been compromised, transfer all remaining assets to a new, uncompromised wallet immediately.
- Report the incident to the Police. You may also report any fraudulent cryptocurrency phishing websites to CSA’s SingCERT at singcert@csa.gov.sg or via the incident reporting form at https://www.csa.gov.sg/singcert/reporting.
If you have any information relating to such crimes or if you are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/i-witness. All information will be kept strictly confidential. If you require urgent Police assistance, please dial ‘999’. If you are unsure if something is a scam, call the 24/7 ScamShield Helpline at 1799 or download the ScamShield app to check, detect and block scams. For more information on scams, visit www.scamshield.gov.sg.
Screenshot of Phishing Link

PUBLIC AFFAIRS DEPARTMENT
SINGAPORE POLICE FORCE
01 July 2026 @ 3:00 PM
