GAS: 0.0709 Gwei
Cryptocurrency, Security by Amir Rocha // Crypto News Reporter

ZachXBT Exposes Canadian ‘Haby’ in $2M Coinbase Support Scam

On-chain investigator traces $2M in stolen funds to a Canadian national who flaunted the proceeds on rare usernames and nightclubs.

The Lead

On-chain sleuth ZachXBT has identified a Canadian national, operating under the alias “Haby” (or Havard), as the architect of a $2 million social engineering campaign targeting Coinbase users. In a thread published December 29, the investigator detailed how the threat actor bypassed cryptographic security entirely, relying instead on impersonation tactics to drain user accounts.

The Scheme

The attack vector was purely psychological. Haby allegedly impersonated Coinbase support staff through spoofed phone calls and messaging apps, tricking victims into surrendering 2FA codes or authorizing transfers. Unlike DeFi exploits that target smart contract vulnerabilities, this campaign exploited human error.

ZachXBT’s investigation, built on cross-referencing blockchain transactions with social media metadata, revealed the stolen funds were funnelled into a specific spending pattern: rare Telegram usernames, high-end bottle service, and gambling.

Operational Security Failures

The breakdown of Haby’s anonymity stemmed from “poor operational security.” The investigator highlighted a specific instance where the scammer screen-recorded himself conducting a fraudulent support call. In the footage, Haby accidentally exposed his personal email address and Telegram handle.

“Meet Haby (Havard), a Canadian threat actor who has stolen $2M+ via Coinbase support impersonation social engineering scams in the past year…,” ZachXBT

On-chain data corroborated the digital footprint. One specific wallet, flaunted by Haby in a private Telegram group chat, held approximately $237,000 in February. Another screenshot posted by the suspect showed a theft of 21,000 XRP (~$44,000) from a single victim. The sleuth traced these assets back to a resident of Abbotsford, British Columbia.

The Institutional Context

This exposure underscores a pivot in crypto-crime mechanics. As protocol-level security hardens, attackers are increasingly reverting to “human hacking.” Security firms have noted a sharp rise in support-impersonation attacks, forcing exchanges like Coinbase to aggressively educate users on verifying communication channels. The identification of Haby adds a tangible face to a growing statistic.

> ABOUT_THE_AUTHOR _

Amir Rocha

// Crypto News Reporter

I’m Amir Rocha, a reporter who believes you shouldn't need a computer science degree to understand the future of money. I spend my days translating technical developments from Zero-Knowledge rollups into clear, actionable insights for SEC filings. After 8 years in the blockchain space, I’ve learned that the most important story isn't the price, but the technology underneath. I write to help you spot the difference between genuine innovation and a marketing gimmick

VIEW_PROFILE >>

RELATED INTELLIGENCE

Crypto User Loses $50M to ‘Address Poisoning’ Scam; Funds Washed via Tornado Cash

Ledger Users Targeted After Global-e Breach Exposes Customer Data

World Liberty Financial Files for OCC Bank Charter; USD1 Hits $3.3B