the game and the user are gone from itch.io so i couldn't run a test on any.run if you have the file you can upload it and test it for me. It will give screenshots and information of where it will it is going in the internet. Other than that this doesn't seem to be a problem with itch.io but discord. Even if wasn't uploaded to itch.io the virus software should still work the same in another uploading site like Drive or Dropbox.
The person got hacked, you believed in the hacked person, you let Discord keep your paypal information, Discord fault for doing nothing or not fixing this fast and Paypal fault for not stopping the $1000 payment that happen within minutes. The only way this scam works is if the criminal got hold of Discord users who download the Discord software and the user has the payment saved on Discord. They make Discord software do something on payment section of Discord code and Paypal believes it is you.
This is not itch.io fault it's Discord and Paypal, as well as you for having a saved billing option.