ZachXBT Exposes $2M Coinbase Impersonation Scam via Onchain Clues and Social Media Evidence

A Canadian threat actor known as Haby or Havard allegedly stole over $2 million from CoinbaseCOIN-- users through social engineering scams in 2025 by impersonating support staff. Blockchain investigator ZachXBT uncovered the scammer's identity and tactics using onchain data, social media evidence, and OSINT methods. The suspect posed as a Coinbase representative, convinced users their accounts were compromised, and tricked them into transferring cryptocurrency to attacker-controlled wallets according to research.

ZachXBT revealed the scammer used spoofed phone numbers and fake customer support interactions to manipulate users into revealing sensitive information or approving unauthorized transactions based on analysis. A leaked video showed the suspect interacting with a victim on a call, further validating the impersonation scheme according to findings. The scammer spent the stolen funds on rare social media usernames, club services, and gambling according to reports.

The scammer attempted to cover his tracks by frequently purchasing high-value Telegram usernames and deleting old accounts. However, poor operational security—such as sharing selfies and lifestyle updates on social media—made it easy for ZachXBT to trace his identity according to analysis. The investigator also noted that the scammer's location could be linked to Abbotsford, near Vancouver, British Columbia as reported.

Why Did This Scam Work?

The scam primarily relied on social engineering rather than technical exploits. Scammers often target human trust and urgency to gain control over victims' funds according to research. In this case, Haby used a combination of phone calls and digital interactions to mimic a legitimate Coinbase support team. Victims were led to believe that their accounts were under threat and needed immediate action as detailed.

The use of fake wallet addresses and impersonation of customer support was key to the scam's success. ZachXBT found that the scammer would spoof wallet addresses and deposit stolen funds into BitcoinBTC-- wallets before using them for personal expenses according to onchain analysis. This shows how attackers can use multiple layers of deception to hide their activities.

How Did ZachXBT Uncover the Scammer?

ZachXBT used a combination of onchain analysis and social media evidence to expose the scammer's identity. By cross-referencing wallet transactions, Telegram group chats, and social media posts, he was able to trace the movements of the stolen funds and the scammer's online presence according to reports.

The investigator shared screenshots and wallet data that linked the scammer to a $44,000 XRPXRP-- theft in December 2024, as well as multiple Bitcoin transactions. These clues helped build a case against the suspect, who had shown little regard for operational security according to financial reports.

ZachXBT also noted that the scammer had shared private device details, such as the name "Harvi's MacBook Air," in group chats. This level of detail exposed the scammer's poor security practices and made it easier for investigators to track his activities according to evidence.

What Can Users Do to Prevent Such Scams?

Coinbase and other major exchanges have repeatedly warned users that support staff will never ask for seed phrases, passwords, or direct transfers to personal wallets. Users should be cautious about unsolicited calls, emails, or messages that claim to be from customer support. Always verify such communications through official app channels.

Additionally, users should avoid clicking on links sent via unverified sources and refrain from sharing sensitive information over the phone. Storing significant holdings in hardware wallets and using strong, unique passwords for each service also helps reduce the risk of falling victim to scams.

Context of Rising Social Engineering Threats

This case is part of a broader trend of social engineering attacks in the crypto industry. In 2025 alone, such scams accounted for billions in losses across the sector. The increasing sophistication of these attacks highlights the need for better user education and improved security measures.

ZachXBT noted that the scammer's poor opsec and frequent social media posts made it possible to track his activities. This underscores how scammers can be unmasked if they fail to protect their online identities.

What's Next for the Scammer and Law Enforcement?

ZachXBT urged Canadian law enforcement to investigate the case further, citing the strong evidence available. However, he noted that jurisdictions like Canada often struggle with prosecuting cybercriminals. Law enforcement in the U.S. and India have made some progress in recent months, with arrests and raids targeting similar scams.

As cryptocurrency adoption grows, the need for robust security protocols and user awareness becomes more critical. This case serves as a reminder that while blockchain tools can help trace fraud, prevention remains the most effective defense against social engineering attacks.