After meeting fraudsters of fake investors in the lobby of a hotel in the Roman Empire, the founders of Webaverse, a game module in Web3's virtual world, revealed that they were the victims of a cyber hacker using a password worth 4 million dollars.

According to founder Ahad Shamsul, the weirdness of the story is that the login password was stolen from a newly formed trust wallet and the hacking occurred at some point during the meeting.

He claimed that the thief was unlikely to see the public key and that he had not yet transmitted it to the public WiFi Internet.

Shams felt that the thief was taking pictures of the balance of his wallet and somehow was able to get in.

The letter, which was introduced on Twitter on February 7th, consists mainly of statements from Webavers and Shamsul, who explained that after weeks of discussion about possible funding, they met with a young man named Zablah on November 26th.

"people got in touch with Mr. Zablah by email and video call, and he explained that he wanted to invest in an exciting Web3 company," Shamsul explained.

He added: "he explained that he had been cheated with the login password before, so he collected our own identity documents for KYC and asked us to fly to the Roman Empire to meet him, because it is very important to meet IRL for all of us to 'fit in' as businessmen," he added.

Despite his initial skepticism, Shamsul was allowed to meet "Mr. Zablah" and his "financier" in person in the lobby of a hotel in Rome. Shamsul will present "financial confirmation" of the project there, which "Mr. Zablah" claims he needs to gradually "document work".

Although we made do with the 'confirmation' of Trust Wallet, we set up a new Trust Wallet account at home, and the machine key of the application is not what we mainly use to communicate with them. The idea is that we don't have our own public keys or seed statements, and money is particularly safe anyway.

When we met, we sat directly opposite the three men and transferred 4 million dollars into the trust wallet. Old Mr. Zablah asked to check the account balance in the Trust Wallet app, then took out his phone and took a few pictures.

Shamsul explained that he thought it would be fine if there was no public key or seed statement revealed to "old Mr. Zablah".

But once "Mr. Zablah" got out of the chamber and consulted his friends in financial institutions, he never came back. Then Shams saw the money being sucked away.

People haven't seen him since. Ten minutes later, the money left the wallet.

Basically after that, Shams reported the theft to the local public security bureau of the Roman Empire and submitted an Internet Crime report (IC3) to the fbi a few days later.

Shamsul says he still doesn't know how Old Mr. Zablah and his fraud syndicate took advantage of the flaw:

The interim news of the ongoing investigation is that people are still unable to proudly attack the media. Investigators have already checked the current evidence and had a long conversation with the person in charge, but further technical information is needed before they can come to a proud conclusion.

Specifically, we should get more information from Trust Wallet about the thematic activities in the wallet, which are used up for technical results, and people are actively checking his records. This may give you a better understanding of how it happened.

Cointelegraph contacted Shams, and when she revealed the money in her trust wallet, he confirmed that he had not sent it to WiFi in the hotel lobby.

The WebaVerse founder believes that this way of exploiting system vulnerabilities is similar to NFT entrepreneur Jacob Regling's sharing of NFT scam stories on July 21, 2021.

There, Regling explains, she met with a hidden partner in Barcelona and verified that there was enough money on its computer, which was then consumed within 30 to 40 minutes.

Since then, Shams has shared its trust wallet to be used according to ethernet buying and selling transactions, and stressed that the funds were quickly divided into six transactions and sent to six latest addresses, none of which had any previous theme activities.

Using a $4 million USDC is then converted into ETH, BTC (WBTC), and USDT based on almost one inch of exchange.

Shams acknowledges that "this incident still haunts me" and that a $4 million system vulnerability is "a setback" for Webaverse.

However, he stressed that the use of $4 million worth of system vulnerabilities and difficult to resolve investigation and analysis will not affect the company's short-term performance pledges and plans:

"according to our current forecast, there are plenty of playgrounds for 12 to 16 months and we are successfully completing our plan."

Cointelegraph has contacted Trust Wallet for comment.