A Canadian scammer known as Haby, or Havard, stole over $2 million in cryptocurrency from Coinbase users in 2025 through impersonation attacks. Posing as support staff, he tricked victims into transferring funds. Blockchain investigator ZachXBT exposed him via on-chain analysis and social media leaks.
-
ZachXBT linked Haby to a 21,000 XRP theft ($44,000) from a December 2024 screenshot, tracing it to further Coinbase scams totaling $500,000.
-
Haby swapped stolen assets to Bitcoin, with wallet balances matching leaked group chat screenshots from February 2025.
-
Poor operational security, including Instagram brags and location data from Abbotsford, British Columbia, confirmed his identity through OSINT.
Coinbase impersonation scam by Haby exposed: How ZachXBT traced $2M crypto thefts in 2025. Tactics, blockchain analysis, and prevention tips. Protect your wallet now – read expert insights.
What is the Coinbase impersonation scam orchestrated by Haby?
The Coinbase impersonation scam involved a threat actor named Haby, or Havard, from Canada, who posed as Coinbase customer support to defraud users of more than $2 million in cryptocurrency during 2025. By making fraudulent calls using spoofed phone numbers, he convinced victims to transfer assets to attacker-controlled wallets under the guise of securing accounts. Blockchain investigator ZachXBT uncovered the scheme through meticulous on-chain tracing and social media evidence.
How did ZachXBT expose the Coinbase impersonation scammer Haby?
ZachXBT’s investigation started with a December 30, 2024, social media post by Haby boasting about a 21,000 XRP theft worth $44,000 from a Coinbase user. Matching the wallet address revealed two more thefts totaling around $500,000. Haby quickly swapped the stolen XRP to Bitcoin via instant exchanges, but timing analysis led ZachXBT to the Bitcoin deposit address.
In February 2025, Haby shared screenshots in a group chat showing a wallet with $237,000, perfectly aligning with the traced address’s balance on February 1. Backward tracing uncovered three additional impersonation thefts exceeding $560,000. Leaked videos and Instagram stories exposed Haby’s email, Telegram handle, and device details like “Harvi’s MacBook Air,” confirming his involvement.
Social media posts revealed Haby’s lavish spending on Telegram usernames, luxury goods, and gambling, funded by scams. A chat member even warned him against frequent flexing. OSINT pinned his location to Abbotsford, near Vancouver, British Columbia. Haby deleted accounts just before the probe’s publication, but archived data linked aliases across platforms.
Frequently Asked Questions
What caused the rise in Coinbase impersonation scams in 2025?
The escalation stemmed from a May 2025 insider data breach where cybercriminals bribed overseas support agents, primarily in Hyderabad, India, to steal customer details like names, emails, phone numbers, addresses, IDs, and balances. This affected about 1% of users, or 70,000 high-value accounts. Attackers used the data for targeted calls without needing private keys, making scams highly effective.
How can you protect yourself from Coinbase support impersonation scams?
Never transfer funds based on unsolicited calls claiming account issues. Coinbase support never requests wallet transfers. Verify contacts via official app channels, enable 2FA, and monitor transactions closely. Report suspicious activity directly to Coinbase security without engaging scammers. Staying vigilant prevents falling for these voice-based social engineering tactics.
Key Takeaways
- Blockchain forensics are powerful: ZachXBT’s on-chain and timing analysis dismantled Haby’s operation, linking swaps and leaks across assets.
- Poor opsec dooms scammers: Social media brags about thefts and lifestyles provided crucial evidence, highlighting risks of oversharing.
- Insider threats amplify risks: Bribed agents enabled precise targeting; users must prioritize official verification for protection.
Conclusion
The Coinbase impersonation scam by Haby underscores the evolving threats in cryptocurrency security during 2025, from social engineering to insider data leaks totaling millions in losses. ZachXBT’s exposure via blockchain analysis and OSINT demonstrates the value of transparent investigations in the crypto space. As law enforcement ramps up with arrests like those of Ronald Spektor and Indian insiders, users should adopt verified communication protocols. Stay informed and secure your assets to navigate future Coinbase impersonation scam risks effectively.
ZachXBT traces theft via blockchain analysis
ZachXBT’s probe highlighted Haby’s operational lapses, with screenshots and videos leaking key identifiers. Backward wallet traces revealed a pattern of Coinbase support fraud, emphasizing how public boasts can unravel scams.
Scammer operated with poor operational security
Haby’s Instagram and Telegram activity painted a clear picture: frequent posts of bottle service, luxury purchases, and gambling wins from stolen crypto. Location data from stories confirmed Abbotsford, British Columbia, sealing the case.
Coinbase support impersonation scams escalated in 2025
Beyond Haby, the year saw sophisticated attacks using breached data for “Elite Support” impersonations. Coinbase refused a $20 million ransom, offered bounties, and compensated victims, showing proactive defense amid 70,000 targeted accounts.
Multiple arrests happened in December 2025
Key actions included charging Ronald Spektor for $16 million in thefts via fake “secure vault” transfers, and arresting a former Indian support agent tied to the May breach. These mark progress against organized impersonation rings.
