ZachXBT Exposes “Canadian” Scammer Who Stole $2M Via Fake Coinbase Support

Blockchain investigator ZachXBT has exposed a Canada-based scammer who allegedly stole more than $2 million in cryptocurrency by impersonating Coinbase customer support, adding to a growing list of social engineering cases targeting users of major exchanges.

In a series of posts on X, ZachXBT said the alleged scammer, identified by the alias “Haby” or “Havard,” spent more than a year posing as a Coinbase help desk worker and tricking users into handing over funds.

ZachXBT Tracks Coinbase Scammer Through Screenshots and Wallet Data

According to the investigator, the suspect relied on classic social engineering tactics rather than technical exploits, manipulating victims into believing their accounts were under threat and needed immediate intervention.

ZachXBT said he was able to trace the activity by cross-referencing screenshots shared in Telegram group chats, social media posts, and on-chain transaction data.

In an instance, dated Dec. 30, 2024, the alleged scammer posted a screenshot boasting of a 21,000 XRP theft, worth about $44,000 at the time, taken from a Coinbase user.

Further analysis linked that XRP address to additional Coinbase-related thefts totaling roughly $500,000.

The investigator said the suspect routinely converted stolen XRP into bitcoin using instant exchange services, a move intended to obscure transaction trails.

By analyzing transaction timing and wallet balances, ZachXBT said he identified a bitcoin address that later displayed a balance of about $237,000 in February 2025, matching screenshots the suspect had shared while showing off his funds in private chats.

Tracing backward from that address revealed three more Coinbase impersonation thefts worth more than $560,000.

ZachXBT also shared a leaked screen recording that allegedly shows the suspect on a call with a victim, impersonating Coinbase support.

In the video, the caller is heard guiding the target through what appeared to be fake security steps while inadvertently revealing an email address and Telegram account tied to the operation.

The suspect reportedly bought expensive Telegram usernames and deleted older accounts in an attempt to evade detection, though repeated online bragging made attribution easier.

Crypto Users Face Rising Losses as Social Engineering Attacks Spread

The case surfaced as authorities in India recently arrested a former Coinbase customer support agent in Hyderabad over a separate data breach affecting nearly 70,000 users.

Coinbase CEO Brian Armstrong said the breach stemmed from a bribery scheme targeting offshore support staff and resulted in about $307 million in remediation and reimbursement costs.

Coinbase refused to pay a $20 million ransom linked to the incident and instead launched a bounty program to aid investigations.

Social engineering scams like the one described by ZachXBT typically begin with unsolicited calls, texts, or emails that appear to come from a legitimate company.

Scammers often create urgency by claiming there has been suspicious activity or an imminent account compromise, then pressure victims into revealing login credentials or two-factor authentication codes or transferring funds to wallets controlled by the attacker.

The exposure of the alleged Canadian scammer follows other recent enforcement actions. In the United States, prosecutors charged a 23-year-old Brooklyn resident with stealing about $16 million from roughly 100 Coinbase users through a similar impersonation scheme.

That investigation also relied on blockchain analysis and resulted in the seizure of cash and digital assets, with recovery efforts ongoing.

Industry data show crypto theft remains widespread, with more than $3.4 billion stolen across the sector between January and early December 2025.

Security experts continue to urge users to avoid responding to unsolicited messages, never share passwords or recovery phrases, and only contact support through official websites or apps.