A recent investigation by blockchain analyst ZachXBT has brought to light the activities of a Canada-based scammer who is believed to have swindled over $2 million in cryptocurrency. The scammer allegedly impersonated customer support representatives from Coinbase, escalating concerns about social engineering schemes targeting users of major cryptocurrency exchanges.
ZachXBT revealed that the individual, who goes by the alias “Haby” or “Havard,” operated for more than a year, deceiving victims into transferring their funds under the guise of urgent account security measures. The investigator’s findings were shared in a series of posts on social media platform X, showcasing a meticulous tracking process through transaction data and screenshots.
The investigation highlighted the suspect’s reliance on common social engineering tactics to instill fear in potential victims regarding the safety of their accounts. By cross-referencing information from social media platforms, Telegram chats, and blockchain transaction records, ZachXBT constructed a timeline of the scammer’s activities.
One notable incident dated December 30, 2024, revealed the scammer boasting about stealing 21,000 XRP, worth approximately $44,000 at the time, from a Coinbase user. Further analysis revealed the same XRP wallet was linked to additional thefts totaling about $500,000. Moreover, the suspect frequently converted stolen XRP into Bitcoin using instant exchange services, a strategy designed to obscure the transaction trail.
Through careful examination of wallet balances and transaction timings, ZachXBT identified a Bitcoin address that had accrued a balance of around $237,000 in February 2025. This matched the amounts displayed in screenshots shared by the scammer during private conversations. Tracing back from this address led the investigator to uncover additional impersonation thefts from Coinbase users exceeding $560,000.
A leaked video was shared by ZachXBT, purportedly showing the suspect in a call with a victim, where they impersonated Coinbase support. The call captured the scammer supposedly guiding the victim through fraudulent security procedures, inadvertently revealing key information such as an email address and a Telegram account linked to their operations. Despite efforts to avoid detection by purchasing expensive Telegram usernames and deleting older accounts, the suspect’s frequent online boasting made it easier for investigators to trace their activities.
The exposure of “Haby” comes on the heels of a related incident in India, where authorities arrested a former Coinbase support agent over a data breach impacting nearly 70,000 users. Coinbase CEO Brian Armstrong noted that this breach stemmed from a bribery scheme involving offshore support staff, culminating in substantial remediation costs.
Social engineering scams are increasingly prevalent in the cryptocurrency sector, often initiated through unsolicited communications that appear legitimate. Scammers create a sense of urgency by claiming suspicious activity or a potential account breach, pressuring victims to divulge sensitive information or transfer funds to wallets controlled by the attackers.
This recent case aligns with broader enforcement actions, including charges against a 23-year-old individual in Brooklyn implicated in stealing approximately $16 million from Coinbase users through a similar scheme. Blockchain analysis played a crucial role in that investigation, which led to cash and digital asset seizures.
Industry data underscores the ongoing issue of cryptocurrency theft, recording over $3.4 billion in stolen assets within the sector from January to early December 2025. Security experts are urging users to exercise caution by avoiding unsolicited messages, refraining from sharing sensitive credentials, and only contacting support through verified channels.
