ZachXBT Reveals Canadian Scammer’s $2 Million Crypto Theft Through Coinbase Impersonation

Imagine a frantic phone call from someone claiming to be Coinbase support, warning of an imminent account breach and guiding you through “security steps” that drain your wallet— a scenario that has ensnared victims worldwide, leading to losses exceeding $2 million in one exposed case.

Unmasking the Scam: ZachXBT's Investigation into a Canadian Operator

Blockchain investigator ZachXBT has publicly detailed a year-long operation by an individual known online as Haby (also referred to as Havard), allegedly responsible for stealing over $2 million in cryptocurrency. The scams relied on social engineering tactics, where the perpetrator impersonated Coinbase customer support to trick users into revealing wallet access or transferring funds. Activities traced back to late 2024 show a pattern of targeting individual accounts, with evidence including wallet transactions, social media boasts, and leaked communications.

Key Details from the Exposed Operation

ZachXBT’s analysis, drawn from public posts and blockchain data, highlights the scammer’s methods and spending habits:

• Initial Theft Example: In December 2024, the operator reportedly stole 21,000 XRP, equivalent to approximately $44,000 at the time, from a single Coinbase user via a support impersonation ploy.
• Wallet Linkages: Blockchain tracing connected a Bitcoin address to the individual, revealing additional thefts totaling more than $560,000. One wallet balance reached about $237,000 by February 2025, as shown in group chat screenshots.
• Operational Tactics: Leaked videos and Telegram handles depict active social engineering calls, using fabricated urgency to manipulate victims. The scammer maintained poor operational security, posting selfies, lifestyle flexes on Instagram (including bottle service and gambling), and even rare social media usernames purchased with stolen funds.
• Evidence of Boasts: Screenshots from Instagram stories, leaked from “Harvi’s MacBook Air,” show the individual celebrating thefts, prompting warnings from associates to reduce visible displays of wealth.

"Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year blowing the funds on rare social media usernames, bottle service, & gambling," ZachXBT stated in a detailed X thread.

The investigation also notes multiple swatting incidents involving the scammer’s personal details in Canada, suggesting local law enforcement awareness. However, uncertainties remain around the full extent of untraced funds, as blockchain analysis can only confirm public transactions.

Broader Trends and Security Implications in Web3

This exposure underscores a shift in crypto threats toward social engineering, where attackers exploit human trust rather than technical vulnerabilities. In 2025, such scams have contributed to escalating losses across the ecosystem, with human error identified as the top risk factor in a recent Web3 security analysis.

• Global Scam Patterns: North Korean-linked actors have stolen over $300 million by impersonating industry figures in fake Zoom and Microsoft Teams meetings earlier this month. In December 2025, Indian authorities dismantled a decade-old Ponzi scheme across 21 locations in Karnataka, Maharashtra, and Delhi, involving fraudulent platforms and social media recruitment since 2015.
• Market Impact: Social engineering incidents have heightened user caution, potentially slowing adoption rates. While crypto market capitalization remains robust at around $2.5 trillion as of late 2025, scam-related losses could exceed $5 billion annually if trends persist, eroding confidence in exchanges like Coinbase.
• Predictive Outlook: Security firms anticipate a 20-30% rise in impersonation attacks in 2026, driven by AI-enhanced phishing. Enhanced user education and multi-factor authentication could mitigate risks, but the reliance on behavioral manipulation suggests ongoing challenges for decentralized finance.

"Canadian law enforcement may already be familiar with Haby since there’s been several swatting attempts involving his personal details locally. Unfortunately, Canada is a jurisdiction that rarely ever prosecutes threat actors… I hope Canadian LE makes an exception," ZachXBT added, emphasizing the abundance of evidence.

These cases highlight the need for regulatory focus on jurisdictions like Canada, where prosecution rates for crypto crimes lag behind the U.S. and EU. As Web3 evolves, bolstering psychological defenses alongside technical ones will be crucial to sustaining market growth. How do you see the rise of social engineering scams shaping user trust and security practices in the crypto industry?