ZachXBT investigation details reveal new Coinbase scam tied to Canadian support impersonator

A new report on a complex fake Coinbase scam shows how a Canadian fraudster used support impersonation to steal millions in digital assets from platform users.

Canadian support impersonator steals over $2 million

A Canadian scammer posing as a support executive from crypto exchange Coinbase allegedly stole over $2 million in crypto from unsuspecting users through highly targeted social engineering schemes. Moreover, the individual repeatedly presented himself as a legitimate Coinbase support agent during calls and chats to win victims’ trust.

Independent on-chain analyst ZachXBT traced the scheme by cross-referencing wallet activity, Telegram accounts, and social media posts. According to his findings, the fraudster spent the proceeds on rare social media usernames, bottle service, and gambling, highlighting how quickly illicit crypto gains can be converted into a lavish lifestyle.

How the social engineering crypto scam operated

The investigation, detailed in a post on X dated Dec. 29, describes a sophisticated social engineering crypto scam in which the attacker convinced Coinbase users that he was a genuine support representative. However, behind the scenes, he was systematically guiding victims into making unauthorized transactions that funneled funds into wallets

he controlled.

For those unfamiliar with the tactic, social engineering, often called human hacking, relies on psychological manipulation rather than technical exploits. Attackers pressure or deceive individuals into revealing sensitive information or approving transfers, making it one of the most effective cryptocurrency wallet theft methods currently observed in retail-focused fraud.

In one leaked video shared by ZachXBT, the scammer can be seen pretending to be a Coinbase support agent while speaking with a user. During the call, he inadvertently reveals an email address and his Telegram handle, which investigators then used to tie his identity to various online profiles and crypto wallets.

Tracking the suspect behind the Coinbase support impersonation

Throughout the campaign, the fraudster, whom ZachXBT dubbed “Haby (Havard)”, allegedly accumulated more than $2 million over roughly a year. That said, his pattern of spending on premium Telegram identities became a key clue, as he continually purchased expensive Telegram usernames and deleted older accounts in an apparent attempt to erase his digital footprint.

However, this operational security mistake intersected with his public behavior. Haby reportedly posted openly on social media, flaunting luxury goods and nightlife expenses that appeared inconsistent with any legitimate income. These posts, combined with blockchain data and messaging records, ultimately enabled ZachXBT to piece together the scammer’s profile.

According to the investigation, the suspect’s activity and personal details aligned closely enough for the analyst to reportedly pinpoint his location in Abbotsford, British Columbia, turning what started as an online anonymity play into a traceable abbotsford crypto fraud case.

Broader pattern of Coinbase-focused attacks

The case fits into a wider trend in which Coinbase, due to its high profile and large user base, becomes a prime target for threat actors. Moreover, attackers deploy multiple vectors, including phishing campaigns, coinbase scam emails, live impersonation calls, and fake support chats, all aimed at bypassing user security rather than breaking platform infrastructure.

Once funds are stolen, they are often quickly moved through mixing services or converted into privacy coins, a process frequently described as privacy coins laundering. Because blockchain transactions are typically irreversible, recovery becomes extremely difficult unless law enforcement can rapidly identify and intercept the flows in cooperation with exchanges.

Previous large-scale losses linked to Coinbase users

Earlier this year, ZachXBT publicly urged Coinbase to take urgent action after uncovering that similar social engineering schemes resulted in at least $65 million stolen from Coinbase users between December 2024 and January 2025. However, he emphasized that these numbers likely understate the true scale, as many victims never report incidents.

In a separate case disclosed in June, the investigator exposed a New York-based scammer using the alias “Daytwo”. This individual allegedly stole over $4 million from Coinbase customers, including a single $240,000 theft from a senior citizen. The stolen funds in that operation were frequently diverted to online gambling platforms and converted into privacy-focused assets such as Monero.

Other leading exchanges, including Binance, have faced comparable attacks involving fraudulent support outreach and fake security alerts. That said, the level of detail in this latest zachxbt investigation details illustrates how open-source intelligence and on-chain forensics can still unmask individual perpetrators.

Recognizing and avoiding a coinbase scam

The term coinbase scam in this context generally refers to criminals misusing the brand to exploit users, rather than any wrongdoing by the exchange itself. Moreover, many incidents share recurring warning signs that retail investors can learn to spot early.

Legitimate support representatives from major exchanges will never ask for seed phrases, full login credentials, or two-factor authentication codes. They also will not redirect conversations to unverified third-party channels such as random WhatsApp numbers or personal Telegram accounts, which often feature prominently in coinbase scam calls and chat-based fraud.

Key safety practices for exchange users

To reduce risk, users should independently verify any unexpected outreach claiming to come from an exchange, especially if it references a supposed coinbase email scam or urgent account compromise. However, instead of engaging through links or numbers provided in the message, they should log in directly via the official website or app and contact support from there.

It is also critical to double-check URLs, avoid downloading remote-access software at a stranger’s request, and treat any demand for immediate large transfers as a red flag. By combining basic operational security habits with skepticism toward unsolicited assistance, users can significantly lower their exposure to evolving social engineering threats.

In summary, the case of Haby in Abbotsford, together with earlier multimillion-dollar thefts tied to Coinbase users, underscores how social engineering remains one of the most effective tools for crypto fraudsters. However, ongoing investigative work by analysts like ZachXBT, along with better user education and exchange security practices, can gradually narrow the window of opportunity for such schemes.