Canadian scammer posing as Coinbase support exposed in $2 million crypto theft

A scammer posing as support personnel from Coinbase defrauded more than $2 million in cryptocurrency during 2025 by staging social engineering attacks.

Blockchain investigator ZachXBT exposed the Canadian threat actor, known as Haby or Havard, using on-chain analysis and social media evidence. The scammer made calls to Coinbase users with phone numbers claiming to be from customer support, and then directed the victims to transfer funds to wallets controlled by the attackers.

ZachXBT traces theft via blockchain analysis.

Investigations began when Haby, on December 30, 2024, posted a screenshot showing a 21,000 XRP theft worth $44,000 from a Coinbase user. ZachXBT matched the wallet address to two additional Coinbase user thefts amounting to approximately $500,000. Analysis showed Haby had swapped stolen XRP to Bitcoin through instant exchanges.

9/ Additional screenshots taken from his IG show off more social engineering thefts.

One story post leaked "From "Harvi's MacBook Air"

A person from their chat even advised him to stop flexing so often. pic.twitter.com/YJQlbxTfyK

— ZachXBT (@zachxbt) December 29, 2025

Through timing analysis, ZachXBT tracked down Haby’s Bitcoin address. In February 2025, Haby had shared screenshots in a group chat showing a wallet containing $237,000.

The Bitcoin balance for the identified address matched the screenshots from February 1, 2025. Tracing backward from this address uncovered three additional Coinbase support impersonation thefts totaling over $560,000.

The investigator linked the wallets to Haby through leaked information in social media posts and screen recordings. A leaked video showed Haby conducting a social engineering call with a target.

The screen recording exposed the email address and his Telegram account. Additional Instagram screenshots displayed posts bragging about social engineering thefts. One story post revealed “From Harvi’s MacBook Air” in the device information.

Scammer operated with poor operational security

Haby regularly posted stories and selfies on social media platforms displaying his lifestyle funded by stolen cryptocurrency. The posts showed purchases of expensive Telegram usernames, luxury items, bottle service, and gambling expenses. A member of his chat group advised him to stop posting about his activities so frequently.

The scammer appeared to have little concern for operational security. Social media analysis revealed his location in Abbotsford, near Vancouver, British Columbia. OSINT performed on his story posts confirmed the location.

Haby frequently bought expensive Telegram usernames and deleted his most recent account two days before the investigation was published. Previous accounts showed his alias in various chats, confirming the authenticity of leaked screenshots.

Coinbase support impersonation scams escalated in 2025

The 2025 period was a rather challenging time for Coinbase users. Attackers moved from traditional phishing to precision targeting using data stolen from Coinbase support systems. A May 2025 insider data breach carried out highly effective impersonation scams throughout the year.

It involved bribery by cybercriminals who hired overseas customer support agents, mainly in Hyderabad, India, to steal internal data. Compromised information includes names, emails, phone numbers, home addresses, government ID images, and real-time account balances.

The attackers did not access the private keys and passwords directly. Overall, about 1% of Coinbase users were targeted, amounting to approximately 70,000 high-value clients.

Attackers demanded a $20 million ransom in exchange for deleting the stolen data. Coinbase declined the ransom demand, set up a $20 million bounty on the attackers, and refunded affected victims.

Multiple arrests happened in December 2025

Law enforcement activity peaked in December 2025 with several arrests related to Coinbase impersonation scams. Ronald Spektor of Brooklyn, New York, was charged with stealing $16 million from approximately 100 users.

His methodology involved using stolen customer data to pose as Coinbase “Elite Support” and alerting users to pending unauthorized transactions. He guided victims to move funds to a “secure vault” that was actually a wallet he controlled.

Indian police arrested a former Coinbase support agent on December 29, 2025, connected to the May data theft. The arrest confirmed the bribed insider theory and was the first major law enforcement action against the source of the data leak.

If you're reading this, you’re already ahead. Stay there with our newsletter.