Canadian Scammer Posed as Coinbase Support, Stole $2M

A Canadian individual allegedly stole more than $2 million in cryptocurrency by impersonating Coinbase customer support representatives over the past year. Blockchain investigator ZachXBT exposed the scheme on Monday through detailed on-chain analysis and social media evidence.

1/ Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling. pic.twitter.com/bBqrV7GmPi

— ZachXBT (@zachxbt) December 29, 2025

The alleged scammer reportedly used social engineering tactics to deceive Coinbase users into believing they were speaking with legitimate exchange staff. ZachXBT claimed the stolen funds were subsequently spent on rare social media usernames, bottle service, and gambling.

The investigation began after the suspect allegedly posted a screenshot in a Telegram group chat on December 30, 2024. The image showed off a 21,000 XRP theft valued at approximately $44,000 from a Coinbase user.

ZachXBT shared a leaked video in his X post showing the alleged scammer on a phone call with a victim. The suspect was reportedly providing fake customer support during the recorded conversation.

Digital Trail Leads to Alleged Scammer

The blockchain sleuth employed multiple investigative techniques to identify the suspect. Cross-referencing Telegram group chat screenshots, social media posts, and wallet transactions proved crucial to the investigation.

On January 3, 2025, the suspect allegedly posted a screenshot from an Exodus wallet displaying connected Telegram and Instagram accounts. ZachXBT matched historical wallet balances to this screenshot.

This analysis linked one XRP address to two additional Coinbase user thefts totaling approximately $500,000. The investigator traced funds through instant exchanges where XRP was swapped for Bitcoin.

Through timing analysis, ZachXBT located a Bitcoin address allegedly controlled by the suspect. The blockchain detective published wallet addresses associated with the alleged thefts in his public thread.

4/ Haby swapped his cut from the thefts from XRP to BTC via instant exchanges.

By performing a timing analysis i was able to locate his BTC address.

bc1qn3k5cz3905p6k50r44pjlj2rl9qcy72flsq3zh pic.twitter.com/jfVosUDEMX

— ZachXBT (@zachxbt) December 29, 2025

Open-source intelligence from social media story posts placed the suspect in Abbotsford, near Vancouver. ZachXBT stated the exact address could be easily found on Google Maps but withheld it due to platform terms of service.

The suspect allegedly purchased expensive Telegram usernames frequently and deleted his most recent account two days before the investigation was published. Previous aliases were confirmed through various chat screenshots.

ZachXBT noted the suspect regularly posted selfies and stories flaunting his lifestyle with little regard for operational security. The investigator also mentioned the suspect was caught interacting with online personalities.

7/ In this leaked video here’s Haby as a caller social engineering a target.

In the screen recording he leaks the email habyclown@gmail[.]com and his Telegram account with a number. pic.twitter.com/rd0FOZWoxr

— ZachXBT (@zachxbt) December 29, 2025

The blockchain investigator expressed frustration with Canadian jurisdiction, noting it rarely prosecutes threat actors from online criminal communities. He called for authorities to make an exception given the substantial evidence available.

ZachXBT emphasized that the suspect shows zero remorse for the victims. The investigator characterized this as a relatively straightforward case due to the large quantity of evidence compiled.

Social Engineering Remains Major Crypto Threat

Social engineering attacks continue to plague cryptocurrency users across major exchanges. These schemes typically involve scammers posing as representatives from legitimate organizations to gain victims trust.

Attackers use this trust to extract private data or convince victims to authorize dubious transactions. Impersonating customer support remains one of the most effective tactics employed by crypto criminals.

Coinbase users are frequently targeted due to the exchange’s large user base and mainstream recognition. The platform has repeatedly warned users that legitimate support staff will never request sensitive account information.

Meanwhile, separate crypto security incidents continue to impact the industry. On November 3, 2025, decentralized finance platform Balancer experienced a $128 million exploit affecting its V2 Composable Stable Pools.

Today, around 7:48 AM UTC, an exploit affected Balancer V2 Composable Stable Pools.

Our team is working with leading security researchers to understand the issue and will share additional findings and a full post-mortem as soon as possible.

Because these pools have been live… pic.twitter.com/LRLNNXogt3

— Balancer (@Balancer) November 3, 2025

The Balancer attack occurred at 7:48 AM UTC, impacting users across the Ethereum mainnet and several layer-2 networks. The company confirmed V3 and other pool types remained unaffected by the breach.